Cyber ForensicsCyber Forensics - Purdue University
Cyber ForensicsThe Fascinating World of DigitalEvidence1
IntroductionEric KatzLaw Enforcement CoordinatorPurdue Cyber Forensics LabDept. of Computer & Information Technology2
Caveat Warning: This lecture will not make you acertified digital forensics techniciantechnician. Thislexture is designed to provide an introductionto this field from both a theoretical andpractical perspective.Digital forensics is a maturing scientific fieldwith many sub-disciplinessub disciplines.3
Computer ForensicsFundamentalsComputer ForensicMilitaryLaw EnforcementPrivate SectorStandards & ReportRules of EvidenceCriminalFRYEFRE 702Daubert/KumhoCivilFederal Rules of Civil PSedonaRowePresentationExpert WitnessFriend of the CourTechnical Expert4
Digital Forensic Science Digital Forensic Science (DFS):“The use of scientificallyy derived and pproven ,identification, analysis, interpretation, documentation andpresentation of digital evidence derived from digitalsources for the purpose of facilitating or furthering thereconstruction of events found to be criminal, or helping toanticipateti i t unauthorizedth i d actionstishownht betob disruptivediti totplanned operations.”Source: (2001). Digital Forensic Research Workshop (DFRWS)5
CommunitiesThere at least 3 distinct communitieswithinDigitalForensicsithi Diit l FiLaw EnforcementMilitaryyBusiness & IndustryPossibly a 4th – Academia6
Digital Forensic Science7
Community Objectives8
Cyber Forensics Includes: Networks (Network Forensics) Small Scale Digital Devices Storage Media (Computer forensics) Code Analysis9
Cyber ForensicsThe scientific examination and analysis ofdigital evidence in such a way that theinformation can be used as evidence in acourt of lawlaw.10
Cyber Forensic ActivitiesCyber forensics activities commonlyinclude:the secure collection of computer datath identificationtheid tifi ti off suspectt datad tthe examination of suspect data todetermine details such as origin and contentthe ppresentation of computer-basedpinformation to courts of lawthe application of a country'scountry s laws tocomputer practice.11
The 3 AsThe basic methodology consists of the3 As:–Acquire the evidence without altering ordamaging the original–Authenticate the imageg–Analyze the data without modifying it12
ContextCt t off CyberC bForensics Homeland Security Information Security Corporate EspionageDigital Forensics Traditional CrimeC ber ForensicsCyber White Collar Crime Child Pornography Incident ResponseEmployee Monitoring Employee Privacy Issues ?13
2003AAAFSSubsecttion?JournnalsConferenccesISO on onCyber Crime1990’sRCFL in UUSAIOCEE&SWGGDEIOCE Formmed1sst InternatioonalConferenceCe onCE1980’sInternational LEMeetting1970’sLEE InvestigattiveUnnitsCyber CriimeLegislattionA Brief Timeline2008
Crime ScenesPhysical Crime Scenes vs. Cyber/DigitalCrime ScenesOverlapping principalsThe basics of criminalistics are constantacross both physical and cyber/digitalLocard’s Principle applies “When a person commits a crime something isalways left at the scene of the crime that was notpresent when the person arrived”15
Digital Crime SceneDigital Evidence Digital data that establish that a crime has beencommitted, can provide a link between a crime andits victim, or can provide a link between a crime andthe perpetrator (Carrier & Spafford, 2003)gDigitalCrime Scene The electronic environment where digital evidencecan potentially exist (Rogers, 2005) Primary & Secondary Digital Scene(s) as well16
Forensic PrinciplesDigital/ Electronic evidence is extremely volatile!Once the evidence is contaminated it cannot be dedecontaminated!The courts acceptance iis bThbasedd on theh bbestevidence principle With computer data, printouts or other output readableby sight, and bit stream copies adhere to this principle.Chain of Custody is crucial17
CyberyForensic Principlesp The 6 Principles are:1. When dealing with digital evidence, all of the general forensic andprocedural principles must be applied.2 Upon seizing digital evidence2.evidence, actions taken should not change thatevidence.3. When it is necessary for a person to access original digital evidence,that person should be trained for the purposepurpose.4. All activity relating to the seizure, access, storage or transfer of digitalevidence must be fully documented, preserved and available forre iereview.5. An Individual is responsible for all actions taken with respect to digitalevidence whilst the digital evidence is in their possession.6. Any agency, which is responsible for seizing, accessing, storing ortransferring digital evidence is responsible for compliance with theseprinciples.pp18
Process/PhasesIdentificationCollectionBag & ort19
IdentificationTheidentifyingTh firstfi t stept iis idtif ievidence and ppotential containersof evidenceMMoredifficultdiffi lt thanth it soundsdSmall scale devicesNon-traditional storageg mediaMultiple possible crime scenes20
Devices Identification21
IdentificationContext of the investigation is veryiimportantt tDo not operate in a vacuum!Do not overlook non-electronicsources of evidenceManuals, papers, printouts, etc.22
CollectionCare must be taken to minimizecontaminationCollect or seize the system(s)Create forensic imageLi or Static?LiveSt ti ?Do you own the systemWhat does yyour policyp y say?y23
24
Collection: Documentation25
C ll tiCollection:DDocumentationt ti TakeT k detailedd t il d photosh t andd notest off theth computert / monitorit If the computer is “on”, take photos of what is displayed on the monitor – DONOT ALTER THE SCENE26
Collection: DocumentationMake sure to take photos and notes of allconnections to the computer/other devices27
Collection: Imaging Rule of Thumb: make 2 copies and don’tdon twork from the original (if possible) A filefil copy ddoes nott recover allll ddatat areas offthe device for examination Working from a duplicate image Preserves the original evidence Prevents inadvertent alteration of original evidenceduring examination Allows recreation of the duplicate image ifnecessary28
Collection: Imaging Digital evidence can be duplicated with nodegradation from copy to copy This is not the case with most other forms ofevidence29
Collection: ImagingWrite blockersSoftwareHardwareHardware write blockers are becoming theindustryy standardUSB, SATA, IDE, SCSI, SIM, Memory CardsN t BIOS dependentdd tNotBut still verify prior to usage!30
Collection: ImagingForensic Copies (Bitstream)Bit for Bit copying captures all the data on the copiedmedia including hidden and residual data (e.g., slackspace, swap, residue, unused space, deleted files etc.)Often the “smoking gun” is found in the residualdata.Imaging from a disk (drive) to a file is becoming thenormMultiple cases stored on same mediaNo risk of data leakage from underlying mediaRemember avoid working for originalUse a write blocker even when examining a copy!31
Imaging: Authenticity & Integrity How do we demonstrate that the image is a true unaltered copyoff theth original?i i l?-Hashing (MD5, SHA 256) A mathematical algorithm that produces a unique value (128 Bit,512 Bit) Can be performed on various types of data (files, partitions, physicaldrive) The value can be used to demonstrate the integrity of your data Changesg made to data will result in a different value The same process can be used to demonstrate the image has notg from time-1 to time-nchanged32
ExaminationHigher level look at the file system representation of the dataon theth mediadiVerify integrity of image MD5, SHA1 etc.Recover deleted files & foldersDetermine keyword list What are yyou searchingg forDetermine time lines What is the timezone setting of the suspect system What time frame is of importance GraphicalG hi l representationt ti iis very usefulf l33
ExaminationExamine directorytreeSearch for relevantevidence types Hash sets can be useful What looks out of place Graphics Stego tools installed Spreadsheets EvidenceE idence ScrubbersScr bbersPerform keywordsearches Indexed Slack & unallocatedspace Hacking tools Etc.Look for the obviousfirstWhen is enoughenough?34
Issueslack of certification for toolsLack of standardslack of certification for professionalslack of understanding by Judiciarylack of curriculum accreditationRapid changes in technology!Immature Scientific Disciplinep35
CareersOne of the fastestgrowing jobmarkets!k t !36
Paths to Careers in CFCertificationsAssociate DegreeB h l DBachelorDegreePost Grad CertificateMastersDoctorate37
Job FunctionsCF TechnicianCF InvestigatorCF Analyst/Examiner (lab)CF Lab DirectorCF ScientistS i ti t38
Professional OpportunitiesLaw EnforcementPrivate SectorIntelligence CommunityMilitaryA d iAcademia39
SummaryCyber Forensics is a maturing forensicScienceAAFS new sectionFebti Fb 2008Excellent career opportunitiesProperp education & trainingg isparamount!40
QUestions?41
Contact InformationMarcus Rogers, PhD, CISSP, CCCIcyberforensics@mac.comb fi @http://www cyberforensics purdue 142
When dealing with digital evidence, all of the general forensic and procedural principles must be applied. 2. Upon seizing digital evidence actions taken should not change thatUpon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence,
-- Computer forensics Computer forensics -- Network forensics Network forensics - Live forensics -- Software forensics Software forensics -- Mobile device forensics Mobile device forensics -- "Browser" forensics "Browser" forensics -- "Triage" forensics "Triage" forensics ¾Seizing computer evidence
Any device that can store data is potentially the subject of computer forensics. Obviously, that includes devices such as network servers, personal computers, and laptops. It must be noted that computer forensics has expanded. The topic now includes cell phone forensics, router forensics, global positioning system (GPS) device forensics, tablet .
forensics taxonomy for the purpose of encapsulating within the domain of anti-forensics. Hyunji et.al [9] proposed a model for forensics investigation of cloud storage service due to malicious activities in cloud service and also analysed artiacts for windows, Macintosh Computer (MAC), (iphone operating system) IOS and
digital forensics investigation is recommended. DIGITAL FORENSICS OFTEN STANDS ALONE We feel that it is important to mention that while digital forensics may be employed during an e-discovery effort, digital forensics often exists independently from e-discov-ery. Digital forensics can be used anytime there is a need to recover data or establish the
Cyber Vigilance Cyber Security Cyber Strategy Foreword Next Three fundamental drivers that drive growth and create cyber risks: Managing cyber risk to grow and protect business value The Deloitte CSF is a business-driven, threat-based approach to conducting cyber assessments based on an organization's specific business, threats, and capabilities.
Purdue Printing Services The School of Pharmacy and Pharmaceutical Sciences Purdue University Heine Pharmacy Building, Room 104 575 Stadium Mall Drive West Lafayette, IN 47904-2091 (765) 494-1361 (765) 494-7800 Fax www.pharmacy.purdue.edu The Purdue Pharmacist is published three times a year for alumni
risks for cyber incidents and cyber attacks.” Substantial: “a level which aims to minimise known cyber risks, cyber incidents and cyber attacks carried out by actors with limited skills and resources.” High: “level which aims to minimise the risk of state-of-the-art cyber attacks carried out by actors with significant skills and .
Korean language instruction in order to reduce student attrition. 162 Damron & Forsyth Introduction . Korean is one of many Less Commonly Taught Languages (LCTLs) in America, distinguishing it from Spanish, French, and German. Since the start of the Korean War and the related diaspora of Koreans to the United States and elsewhere, it has become more common for major universities to offer .
