Computer forensics analysis and validation ppt

computer forensics powerpoint presentations and computer forensics ppt presentation
OliverFinch Profile Pic
OliverFinch,France,Teacher
Published Date:15-07-2017
Your Website URL(Optional)
Comment
Mag. iur. Dr. techn. Michael Sonntag Introduction to Computer Forensics Institute for Information Processing and Microprocessor Technology (FIM) Johannes Kepler University Linz, Austria E-Mail: sonntagfim.uni-linz.ac.at http://www.fim.uni-linz.ac.at/staff/sonntag.htm © Michael Sonntag 2012What is "Computer Forensics"?  Computer Forensics (CF) is obtaining digital evidence » Analogue evidence is usually not considered here: Use "ordinary" forensics to gather/evaluate – Analogue computers are almost non-existing today  This may come from running systems or parts of them » Hard disks, flash drives, PDAs, mobile phones, telephones, copiers, “pads” etc.  Can be evidence for computer crimes (computer fraud, hacking, …) or any other crime (documents with plans for x) or for various other uses  One indispensable issue is "data integrity" Data is easily changeable: Evidence is then and only then usable in proceedings, if it is ensured, that it has not been changed Michael Sonntag Introduction to Computer Forensics 3What is "Computer Forensics"? Other definitions:  "Analytical techniques to identify, collect, preserve and examine evidence/information which is magnetically stored or encoded" » Problem: "magnetically"  Flash disks, running systems? » Better: "in computerized systems and their parts"  "We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communi- cations, and storage devices in a way that is admissible as evidence in a court of law." » Focus on legal proceedings; there are many other uses as well – Note that this almost the "highest" form: If evidence is sufficient for criminal proceedings, it can be used for everything else as well  "A technological, systematic inspection of the computer system and its contents for evidence or supportive evidence of a crime or other computer use that is being inspected." Michael Sonntag Introduction to Computer Forensics 4What is "Computer Forensics"? The main elements:  Has something happened at all? » Random effect, bugs, …  When did it happen? » How long had the attacker access to out files?  What has happened and what are the effects? » What are the results from the intrusion/…and what is their direct and indirect "cost"?  Who was responsible for it? » Can we identify an IP address or a person?  How did he do it? » So we can block this in the future  Why were we attacked? » Just “some computer” or deliberate attack; damage/gain; … Generally: Uncovering what really occurred Michael Sonntag Introduction to Computer Forensics 5“Evidence” Circumstantial evidence (“Indiz”):  A hint, which (alone or together with others) allows to conclude that a certain fact exists Evidence (“Beweis”):  A hypothetical situation is accepted as a fact by the judge (rarely: jurors) because he is convinced of it » The circumstantial evidence is presumed to be true  Types of evidence are often strictly regulated » Note: This is a legal distinction and has typically no influence on what can be used as evidence. They are just treated differently. – Example: A witness is treated differently than objects  Used to fulfil the burden of proof In English the difference is more vague Michael Sonntag Introduction to Computer Forensics 6"Burden of proof" Note: Not "Obligation to prove"  You are not required to prove anything … unless you want to "win" the proceedings  If something cannot be proven, this is disadvantageous for the party which bears the burden of proof » False  Obvious; Practically important: Unknown, no evidence/ witnesses, expert could not find anything conclusive… Typical basic rules:  You state that something is true  You have to prove this  Civil procedures: Everybody proves what would be advantageous for them (and: must claim it; legal problem)  Criminal procedures  State must prove everything  If the court is convinced (different levels in law), the burden of proof switches to the other party to prove the opposite Explicit deviations/special rules exist in many laws Michael Sonntag Introduction to Computer Forensics 7Digital evidence  Digital evidence is  Stored in computers: Disks, memory, … » Not: Printouts, fingerprints on CD-ROMs etc.  Being transmitted between computers: (W)LAN, E-Mails, … » Not: Voice telephone communication (but …) etc.  Analogue evidence:  Fingerprints, fibres, body fluids, physically damaged disk, …  Evidence requires interpretation.  What does it mean that this Bit is “0”?  An E-Mail header exists: Who added it? What does it mean?  Requires a lot of tools: Are they working correctly?  How many steps of interpretation are necessary?  How reliable is the interpretation?  We will talk only about digital evidence in this course Michael Sonntag Introduction to Computer Forensics 8 Legal considerations  Computer forensic evidence should be  Admissible: Don’t collect anything, which would not be allowed in court » It is useless, and probably illegal too  Authentic: The evidence should be tied to the incident » Don’t go on fishing expeditions  Complete: Not only the “damaging” parts, but all of it » Don’t suppress or ignore anything else – If in doubt, collect too much and ignore it later in evaluation  Reliable: Collection, handling, and evaluation should ensure veracity and authenticity » See "Chain of Custody"  Believable: Should be believable and understandable in court » And for laymen too (accused, jury, …)  “The truth, the whole truth, and nothing but the truth” Michael Sonntag Introduction to Computer Forensics 9 The basic principles of CF  No action to secure/collect evidence should affect its integrity  It becomes much less worth/completely worthless  Examiners should be trained  Only investigate as far as your knowledge goes  All activities should be logged  Seizure, examination, storage, and transfer » Complete chain of custody (including its security measures)  Documented, preserved, and available for review » Proof for the chain of custody  Investigations must be accurate and impartial  Computer forensic  prosecutor/attorney/judge » Describe what was actually found – And what should have been found, but was missing » Describe how reliable these facts are » Describe what conclusions can reasonably be drawn from it Michael Sonntag Introduction to Computer Forensics 10When to use CF?  To provide digital evidence of specific activity  In general, proving non-activity might also be the goal, but this is more difficult and only sometimes possible  For legal proceedings  Criminal cases: Child pornography, (computer) fraud, ...  Civil cases: Hacking, information theft, industry espionage, …  Recovering data  (Inadvertently) deleted information  Identifying weaknesses  After a break in, identify the method employed to prevent it in the future  Identifying the attack/attacker  Verify, whether an incident actually happened and who was responsible for it Michael Sonntag Introduction to Computer Forensics 11Problematic example of CF  "Prove, that we did not receive this E-Mail"  Can we really do that?  We can "easily" prove the receipt of the E-Mail, we just have to find it on the mail server (or traces of it)  But proving the negative?  If we don't find any trace on the mail server, this means » we did not search enough, » it was there, but later on accidentally deleted and overwritten, » it was there and then cleverly deleted, or » it was never on the server at all (deleted in transit, …)  But there is normally no way to prove which of these options describe what actually occurred  Potential options: Third parties (logs, replies, …), traces of destroying evidence (no proof, but bad in court) Michael Sonntag Introduction to Computer Forensics 12When to use CF? Concrete examples  Misuse of ICT by employees  Unauthorized disclosure of data  Internet (WWW, E-Mail, …) abuse  Deleted/damaged information  Exploiting ICT  Industrial espionage  Hacking of systems  Infiltration (zombie, trojans, viruses, …)  Damaging ICT  Web page defacements  Denial of Service attacks  Crashing computers Michael Sonntag Introduction to Computer Forensics 13When to use CF? More (prosaic) examples  Any normal crime  Plans on computer  Tracing communication or money  Computer crimes  Phishing, "money mules" etc.  Disputes between companies  We did deliver the product  The delivery was too late, defective, …  Is the price "appropriate"  Companies vs. consumers  Details: See above  Addition: Often "computer company" vs. "laymen" Michael Sonntag Introduction to Computer Forensics 14When NOT to use CF  Immediately acting when having any suspicion  Plan first: Evidence is destroyed very easily  Locate an expert for doing this type of computer forensics  At the last minute: Do it as soon as possible  Because I’m interested: Girl/Boyfriend, spouses etc.  Pot. typical area for CF, but should not be used “lightly”  “Special” groups are involved  Representatives, medical doctors, attorneys, clergy » These are often privileged regarding evidence  Because it is against the company policy/immoral/…  If the (suspected) behaviour is not illegal, it is much more difficult to do it legally  Use your own staff for important investigations  Use external independent experts (=third party) Michael Sonntag Introduction to Computer Forensics 15 Who should/may use CF?  Authorization required for accessing data  See privacy laws  Live monitoring, hacking, password cracking etc. tools are legally "dangerous"  Possession alone might be criminal » Good explanation and evidence for its necessity/legal use might be required  Personnel to "do" CF:  System administrators in their own area » With restrictions, additional permissions/consent/…  Experts for courts or private investigations » "Expert" is not a legal/protected name  Anyone can use it  Everyone on their own system » Note: A second person (e.g. husband/wife) uses the system  Consent by this person is necessary Michael Sonntag Introduction to Computer Forensics 16Where to find evidence  Disks: Hard disks, USB-Disks, floppy disks, tapes, …  The typical "storage medium"  Note: These can be very small and very easily hidden » They might also pose as "normal" objects – Example: USB-Stick in pocket knife  Devices: Mobile phones, PDAs, MP3 players, USB sticks, game consoles, …  Directly or in disks contained therein  Not a storage medium, but usually may contain arbitrary data » In addition to the "normal" data like music, contacts etc.  Recorders: Cameras, audio recorders, GPS trackers, TVs,…  Similar to devices: Own data + any other stored data  Digital copiers/printers  Might add a serial number to each copied/printed sheet  May contain old scanned pages Michael Sonntag Introduction to Computer Forensics 17 A few examples of hidden USB keys… Michael Sonntag Introduction to Computer Forensics 18Types of evidence  Who was it: Identifying information  Typical data: IP addresses, login names, passwords » Language of the words used may also be interesting  What did he do: Traces of actions  Typical data: Log files, shell history files, event log  Especially important: Various application-internal logs and non-standard configurations » The “standard” files are more likely to be cleaned by attackers  What did he add: Data itself  Typical data: Additional program code, user accounts, program configurations » Code: New/changed programs, modified source code  What did he remove: Remains of data  Typical data: Deleted files (destroyed data as well as his own “intermediate” files), encrypted files Michael Sonntag Introduction to Computer Forensics 19Technical problems of CF  Anything done to a system changes it  Especially problematic for running systems  Usually less of a problem for hard disks » Reading data might change the content microscopically …  You can never trust the system under investigation  It may be hacked, modified by the owner etc.  Proving you did not change anything is difficult  You must be "above suspicion" and take precautions  The past can never be known  We can only find hints what might have possibly been » The content could have been manufactured by someone » This can be pretty good evidence, but no absolute proof  Not everyone knows everything  Every forensic examination is limited by the examiner Michael Sonntag Introduction to Computer Forensics 20 Systematic problems of CF  Identifying the attacker: IP addresses are typ. the only traces of “hacking”; often they cannot be identified  No information available anymore  Used a proxy (=other hacked computer; commercial proxy service) without any logs on that one  Finding traces: If the attacker is good, once he has compromised the system he can hide his tracks very well  Note: It is very easy to forget something, but you can hide almost every trace » Exceptions: Already backed up, external systems (network sniffers/IDS on other system not yet hacked, …)  Note: Many investigations are successful  E.g. child pornography is difficult to hide and still "use"  The culprit may not even once forget to perform all security precautions (and when he does, he won't immediately notice that he forgot) Michael Sonntag Introduction to Computer Forensics 21

Advise: Why You Wasting Money in Costly SEO Tools, Use World's Best Free SEO Tool Ubersuggest.