Cyber Chain of Custody. Acquisition. Cyber Chain of Custody. Evidence Dynamics and the Introduction of Error. Must Be Proven!
|
|
- Jack Moody
- 5 years ago
- Views:
Transcription
1 Acquisition Cyber Chain of Custody Week 2 Protect the data from the Investigator Cyber Chain of Custody Cyber Chain of Custody Just like regular evidence, e- evidence must adhere to a Chain of Custody The challenges with e- evidence is that is easily damaged and changed Data is subject to physical corruption just like classic evidence e.g. dropped, fire, water, etc It is also subject to being changed in subtle ways by hardware and software So, special care is required at all stages of an investigation 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Evidence Dynamics and the Introduction of Error Offenders, victims, first responders, digital evidence examiners and anyone else who had access to digital evidence prior to its preservation can cause change evidence Media containing digital evidence can deteriorate over time or exposed to fire, water, toxic chemicals. Must Be Proven! No information has been added, deleted, or altered in the copying process or during analysis A complete copy was made and verified A reliable copying process was used All media was secured All data that should have been copied had been copied 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
2 Chain of Custody Procedures Chain of Custody Procedures Handling of e-evidence must follow the Three C s of Evidence care control chain of custody Keep an evidence log that shows when evidence was received, seized, and located Record dates if items are released to anyone Restrict access to evidence Place original hard drive in an evidence locker Perform all forensics on a mirror-image copy, never on the original data 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Document and Collect Data Investigation Objectives and Chain of Custody Practices Documentation needs to be precise and organized Document each of the following: location, date, time, witnesses system information, including manufacturer, serial number, model, and components status of the computer, such as whether it was running and what was connected to it physical evidence collected Investigation Objectives Document the scene, evidence, activities, and findings Acquire the evidence Authenticate the copy Chain of Custody Practices Document everything that is done; keep detailed records and photographs, etc. Collect and preserve the original data, and create an exact copy Verify that the copy is identical to the original 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Investigation Objectives and Chain of Custody Practices Report Procedures Investigation Objectives Analyze and filter the evidence Be objective and unbiased Present the evidence/evaluation in a legally acceptable manner Chain of Custody Practices Perform the technical analysis while retaining its integrity Ensure that the evaluation is fair and impartial to the person or people being investigated Interpret and report the results correctly 1. All reports of the investigation should be prepared with the understanding that they will be read by others 2. The investigator should never comment on the guilt or innocence of a suspect or suspects or their affiliations 3. Only the facts of the investigation should be presented; opinions should be avoided 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
3 Certification and Training Programs EnCE EnCase Certified Examiner Global Information Assurance Certification (GIAC) Computer Hacking Forensic Investigator (CHFI) Computer Forensic External Certification (CCE) Forensic Copies You are unique, and so am I 7/17/2018 Sacramento State - Cook - CSc Summer Create a Drive Image Create a Drive Image Original data must be protected from any type of alteration To protect original data, analysis should be performed on a forensic copy of the original drive or device There are different ways of making forensic copies Examples: Drive imaging or mirror imaging Sector-by-sector or bit-stream imaging 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Acquiring a Forensic Copy Hashes Use a forensically wiped hard drive for copying A simple, single, format is not acceptable To insure there is no data left the drive must be wiped several times 3 to 5 times by DoD standards this can take a long, long time There must be a reliable method of verifying that the original and the copies are identical A hash is a mathematical function that will give a unique value for any piece of data Hashes are routinely used by password systems and to determine if two volumes are forensically identical 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
4 Hashes Evidence Integrity A hash is like a computer data fingerprint If two files are different they will not have the same hash value for most algorithms, the hash values will be different even if a single bit is different Hashing algorithms are accepted as reliable methods for determining whether two blocks of data (file, drive, etc.) are identical to the bit level Common Hashes Cyclic Redundancy Check (CRC) Message Digest (MD5) Secure Hash Algorithm (SHA-160, SHA-256) 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Where Used Safeback WinHex Forensic EnCase Forensic Toolkit (FTK) Snapback DataArrest Byte Back Advanced Data Acquisition Its Not A Simple as Taking a Body 7/17/2018 Sacramento State - Cook - CSc Summer Data Acquisition Exceptions to the "Copy Rule" Data is easy to change and damage So, acquisition must be done with upmost care However, sometimes hard drive cannot be removed or data must be captured live! Best practice is to work with a copy of the original data Exceptions to this rule may occur when it is more important to contain an attack or stop a crime It may also be impossible to copy an entire system 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
5 Boot Disks Unix Evidence Acquisition Boot Disk Create a verifiably non-invasive commandline boot disk with the tools needed for acquisition, verification and analysis Use the following alternatives Linux boot floppy Linux live CD-ROM FIRE bootable CD-ROM Software write-blockers (PDBlock) Hardware write-blockers (FastBloc) UNIX can access drives as read-only Bootable CD or thumb drive can contain the UNIX operating system allows data to be analyzed without changing it however one disk will not work for all cases - the hardware platforms are different A Linux boot CD can be used to boot and access a Windows computer e.g. F.I.R.E. 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Boot Disk Example Boot Disk Example Sun SPARC Enterprise 3500 system contained 9 GB Seagate Fiber Channel drive This is incredibly unusual and the forensic lab did not have the hardware to connect the drive Their solution used a bootable CD and used the suspects computer hardware to access the drive drive was bitstream copied (using the UNIX dd command) to an external SCSI drive 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Windows Evidence Acquisition Boot Disk Power Down or Unplug? The rules of evidence dictate that evidence, once seized, cannot be changed But, Windows is extremely invasive updating hundreds of files on each boot-up booting the computer can destroy evidence there is no facility in Windows for mounting a drive as Read-Only How, then, can the Forensic Examiner access the drive for examination purposes? If a PC is running, how do you power it down? Using the operating system to power down is risky temporary files might be deleted date/time stamps changed patches applied to OS 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
6 Power Down or Unplug? Current best practice is to unplug the PC from its power source, preserving the data environment Forensic Tools Does it have a Sonic Screwdriver? 7/17/2018 Sacramento State - Cook - CSc Summer Forensic Tools Choice of Tools There are a large number of forensic tools available to investigators Most are expensive and not surprising so given the have to validated for court use There is also open-source software that can be helpful (but not in court) Many factors affect the choice of tools Examples: operating system software applications hardware platforms state of the data domestic and international laws concerns about bad publicity or liability 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer How Tools Can Help EnCase Recreate a specific chain of events or sequence of user activities Search for key words and dates and determine which of the data is relevant Search for copies of document drafts Search for potentially privileged information Search for the existence of programs Authenticate files and date/time stamps EnCase Cybercrime Arsenal is a customizable package of software, hardware, and training Available in three packaged solutions Offers four views of collected data: Table - displays files in a spreadsheet-style format Gallery - view of all images Timeline - calendar-style view of file activity Report - helps create tailored reports 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
7 Forensic Toolkit (FTK ) OS Forensics Forensic Toolkit (FTK ) used for finding and examining computer evidence Ultimate Toolkit contains FTK plus other modules for recovering passwords, analyzing registry data, and wiping hard drives OS Forensics is a free evidence toolkit Created by PassMark (which has a stellar reputation) While not as advanced as FTK or Encase it is quite a robust application and it is very, very easy to use It can read FTK and Encase evidence files! 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer WinHex Toolkits Only For UNIX/Linux Used for forensic, data recovery and processing, and IT security Some of the tools: editor for FAT12/16/32, NTFS, Ext, etc can interpret RAID systems data interpreter for 20 data types disk cloning driving wiping Autopsy and Sleuth Kit for investigating file systems and volumes of suspect computers dtsearch for combing through large amounts of data for up to 250 different file types 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Toolkits Only For Macintosh PDA Seizure BlackBag a set of 19 tools for examining Macintosh computers, including Directory Scan FileSpy HeaderBuilder MacQuisition forensic acquisition tool used to safely image Macintosh systems A comprehensive forensic tool from Paraben for investigating Palm, Pocket PCs, iphone, Droid, and BlackBerry devices Can produce forensic images and perform data searches as well as crack passwords for Palm 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
8 In Practice: Do Nothing Without Competence Forensics Equipment: Hardware Prosecutions may be jeopardized if untrained personnel compromise data by not following correct procedures Companies should have a proper incident response plan and policies in place Computer forensics labs should have a wide variety of hardware In some cases, seized hardware may be rare or outdated Legacy systems are useful PCs that can read 5¼" floppies dead platforms such as Commodore 64, Apple II, etc 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Forensics Equipment: Hardware Forensics Equipment: Operating Systems Common hardware: Workstations Assortment of power cables USB 2.0, FireWire cables, and power supplies Electrostatic mats Hard disks, and spare expansion cards (PCI, ISA, etc.) Forensics labs should have multiple computer platforms ready Some applications (or hardware) will only work with a specific operating system or platform 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Forensics Equipment: Operating Systems Forensics Equipment: Software Examples: Windows 10, 8, 7, XP, 2000, NT 4.0, NT 3.5, 98, 3.11, and DOS 6.22 Apple Macintosh OS 10.x, Tiger, and older Linux: including Fedora, Caldera Open Linux, Slackware, Ubuntu and Debian Lab needs to have multiple applications available These can be current ones, but legacy ones might be needed for old/rare file types 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
9 Forensics Equipment: Software Forensics Equipment Examples: Microsoft Office (latest), XP, 2000, 97, 95 Quicken and Peachtree accounting software Visual Basic and Visual C++ Quick View, ACDSee, ThumbsPlus, IrfanView OpenOffice (Star Office) Corel Office (Legacy) DOSBox (emulate DOS systems) Type Tool Free? Web Site Password cracker Passware kit Yes Password cracker Portable hard disk duplicator Portable hard drive and media duplicator Forensic intrusion detection, and scanning tools John the Ripper Disk Jockey Logicube Yes Foundstone Yes resources/forensics.htm 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Importance of Hard Drive Expertise Searching Hard drives Looking for Many Needles in a Very Big Haystack Tools are available to work with hard disks but it is important for investigators to know what is happening behind the scenes Tools have their limitations may only partially recover a deleted file but an experienced investigator may be able to locate the remainder investigators must recognize and address it 7/17/2018 Sacramento State - Cook - CSc Summer Residual Data Best Approach Residual data is data that has been deleted but not erased Residual data may be found in unallocated storage or file slack space Slack consists of: RAM slack area from the end of a file to the end of the sector File slack additional sectors needed to fill a cluster, but are not used by the file Conducted with verified tools: identify, collect, filter, tag and bag, store, and preserve e-evidence Conducted by individuals who are certified in the use of verified tool Documented thoroughly 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
10 Notes on Windows Drive Acquisition In Practice: Write Blocking and Protection Write blockers are especially needed because Windows are always automatically mounted Read/Write In contrast UNIX/Linux drives can be mounted as read-only Remote acquisition is possible through cross over cable or over a network Never turn on a PC without having writeblocking software or devices in place Write-blocking devices prevent any writes to a drive such as may occur when simply turning on a system 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Effective Data Searches Effective Data Searches Carefully prepare and plan the search ahead of time Interview the IT staff to learn how and where data has been stored Confirm or define the objective of the investigation Identify relevant time periods and scope of the data to be searched Identify the relevant types of data Identify search terms for data filtering to help locate relevant data and filter out what is irrelevant Metadata can be invaluable to the filtering process Get usernames and passwords for network and accounts Check for other computers/devices that could contain evidence 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Identify Data Types Keyword Search Active data Deleted files Hidden, encrypted, and password-protected files Automatically stored data and instant messages Background information WinHex, EnCase, FTK, and Linux have the capability to search for keywords When notable data is found, it becomes evidence and must be acquired copied completely If a large numbers of volumes need to be searched a keyword search can focus attention on the right one 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer
11 Searching Tips: Keywords Searching Tips: Keywords When you enter a keyword into a search program, you are actually entering a search term System will find that exact term If you use multiple words, you can restrict the number of results, but also exclude essential evidence If an essential keyword is commonly misspelled, you might search both the correct and common misspellings These tools also can pattern match for items using "regular expressions" 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Searching Tips: File Types Searching Tips: File Types Most file systems do not store the dot in filenames. Searching for *.jpg will not find the file (but the mentioning of the file in e- mail, etc.) Just search for the extension Fortunately, most forensics applications will automatically find images but not always 7/17/2018 Sacramento State - Cook - CSc Summer /17/2018 Sacramento State - Cook - CSc Summer Scenario Project #1 The Mysterious Thumb Drive Wendy Martin, an executive assistant, states she saw Vice President Stewart viewing child porn on this computer She immediately contacted Human Resources 7/17/2018 Sacramento State - Cook - CSc Summer
12 Scenario Stewart denied the charge and produced a USB thumb drive he said he found on the floor You were asked to analyze the thumb drive 7/17/2018 Sacramento State - Cook - CSc Summer
The UNIX file system! A gentle introduction"
ISA 785 Research in Digital Forensics The UNIX file system! A gentle introduction" ISA 785! Angelos Stavrou, George Mason University! File System Basics 2! Readings from the Textbook! Unix / EXT3! FAT/NTFS!
More informationCourse 832 EC-Council Computer Hacking Forensic Investigator (CHFI)
Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI) Duration: 5 days You Will Learn How To Understand how perimeter defenses work Scan and attack you own networks, without actually harming
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations
Guide to Computer Forensics and Investigations Fourth Edition Chapter 2 Understanding Computer Investigations Objectives Explain how to prepare a computer investigation Apply a systematic approach to an
More informationIntroduction to Computer Forensics
Introduction to Computer Forensics Subrahmani Babu Scientist- C, Computer Forensic Laboratory Indian Computer Emergency Response Team (CERT-In) Department of Information Technology, Govt of India. babu_sivakami@cert-in.org.in
More informationCOMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9
COMPUTER HACKING FORENSIC INVESTIGATOR (CHFI) V9 Course Code: 3401 Prepare for the CHFI certification while learning advanced forensics investigation techniques. EC-Council released the most advanced computer
More informationComputer Hacking Forensic Investigator. Module X Data Acquisition and Duplication
Computer Hacking Forensic Investigator Module X Data Acquisition and Duplication Scenario Allen a forensic investigator was hired by a bank to investigate employee fraud. The bank has four 30 GB machines
More informationAfter the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning
After the Attack Business Continuity Week 6 Part 2 Staying in Business Disaster Recovery Planning and Testing Steps Business continuity is a organization s ability to maintain operations after a disruptive
More informationIncident Response Data Acquisition Guidelines for Investigation Purposes 1
Incident Response Data Acquisition Guidelines for Investigation Purposes 1 1 Target Audience This document is aimed at general IT staff that may be in the position of being required to take action in response
More informationDigital Forensics at a University. Calvin Weeks Director, Oklahoma Digital Forensics Lab University of Oklahoma
Digital Forensics at a University Calvin Weeks Director, University of Oklahoma Calvin Weeks Director, Former Director of IT Security Certified EnCASE Examiner (EnCE) VP of the local chapter of HTCIA Co-Chair
More informationCSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak
CSN08101 Digital Forensics Lecture 6: Acquisition Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak Objectives Storage Formats Acquisition Architecture Acquisition Methods Tools Data Acquisition
More informationOHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE
OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE I. Description of Course: 1. Department/Course: CNET - 174 2. Title: Computer Forensics 3. Cross Reference: 4. Units: 3 Lec Hrs:
More informationComputer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase
Computer Forensics: Investigating Data and Image Files, 2nd Edition Chapter 3 Forensic Investigations Using EnCase Objectives After completing this chapter, you should be able to: Understand evidence files
More informationEd Ferrara, MSIA, CISSP
MIS 5208 - Lecture 12 Investigation Methods Data Acquisition Ed Ferrara, MSIA, CISSP eferrara@temple.edu Objectives List digital evidence storage formats Explain ways to determine the best acquisition
More informationDigital Forensics Lecture 01- Disk Forensics
Digital Forensics Lecture 01- Disk Forensics An Introduction to Akbar S. Namin Texas Tech University Spring 2017 Digital Investigations and Evidence Investigation of some type of digital device that has
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner Course Title: Certified Digital Forensics Examiner Duration: 5 days Class Format Options: Instructor-led classroom Live Online Training Prerequisites: A minimum of
More informationChapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.
Chapter Two File Systems CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D. 1 Learning Objectives At the end of this section, you will be able to: Explain the purpose and structure of file systems
More informationANALYSIS AND VALIDATION
UNIT V ANALYSIS AND VALIDATION Validating Forensics Objectives Determine what data to analyze in a computer forensics investigation Explain tools used to validate data Explain common data-hiding techniques
More informationCertified Digital Forensics Examiner
Certified Digital Forensics Examiner ACCREDITATIONS EXAM INFORMATION The Certified Digital Forensics Examiner exam is taken online through Mile2 s Assessment and Certification System ( MACS ), which is
More informationCOMPUTER HACKING Forensic Investigator
COMPUTER HACKING Forensic Investigator H.H. Sheik Sultan Tower (0) Floor Corniche Street Abu Dhabi U.A.E www.ictd.ae ictd@ictd.ae Course Introduction: CHFIv8 presents a detailed methodological approach
More informationAccessData Advanced Forensics
This advanced five-day course provides the knowledge and skills necessary to install, configure and effectively use Forensic Toolkit (FTK ), FTK Imager Password Recovery Toolkit (PRTK ) and Registry Viewer.
More informationWindows Forensics Advanced
Windows Forensics Advanced Index: CF102 Description Windows Forensics - Advanced is the next step for forensics specialists, diving deeper into diverse processes on Windows OS serving computer investigators.
More informationSource: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/
by Chirath De Alwis Source: https://articles.forensicfocus.com/2018/03/02/evidence-acquisition-using-accessdata-ftk-imager/ Forensic Toolkit or FTK is a computer forensics software product made by AccessData.
More informationSecurity Incident Investigation
Security Incident Investigation A Seminar Presented to CERIAS at Purdue University Peter Stephenson, CPE, PCE Director of Technology Global Security Practice, Netigy Corp. peter.stephenson@netigy.com Background
More informationC HFI C HFI. EC-Council. EC-Council. Computer Hacking Forensic Investigator. Computer. Computer. Hacking Forensic INVESTIGATOR
Page: 1 TM C HFI Computer C HFI Computer Hacking Forensic INVESTIGATOR Hacking Forensic INVESTIGATOR TM v8 v8 Page: 2 Be the leader. Deserve a place in the CHFI certified elite class. Earn cutting edge
More informationMacintosh Forensic Survival Course
Macintosh Forensic Survival Course Duration: 5 days/level Date: On demand Venue: On demand Language: English Seat availability: On demand (recommended no more than 12) Learning Objectives: Macintosh Forensic
More informationDigital Forensics. Also known as. General definition: Computer forensics or network forensics
TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 3 Jan 29, 2014 Introduction ti to Digital Forensics Digital Forensics Also known as Computer forensics or network forensics General
More informationComputer Forensic Capabilities. Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice
Computer Forensic Capabilities Cybercrime Lab Computer Crime and Intellectual Property Section United States Department of Justice Agenda What is computer forensics? Where to find computer evidence Forensic
More informationNIST SP Notes Guide to Integrating Forensic Techniques into Incident Response
NIST SP800-86 Notes Guide to Integrating Forensic Techniques into Incident Response Authors: Karen Kent, Suzanne Chevalier, Tim Grance, Hung Dang, August 2006 Computer Forensics The application of science
More information10/13/11. Objectives. Live Acquisition. When do we consider doing it? What is Live Acquisition? The Order of Volatility. When do we consider doing it?
Live Acquisition Objectives Understand what Live Acquisition is and when it is appropriate Understand the concept of Order of Volatility Understand live acquisition issues and limitations Be able to perform
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 11 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationWhen Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.
When Recognition Matters WHITEPAPER CLFE www.pecb.com CONTENT 3 4 5 6 6 7 7 8 8 Introduction So, what is Computer Forensics? Key domains of a CLFE How does a CLFE approach the investigation? What are the
More informationBIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest
BIG DATA ANALYTICS IN FORENSIC AUDIT Presented in Mombasa Uphold public interest Nasumba Kwatukha Kizito CPA,CIA,CISA,CISI,CRMA,CISM,CISSP,CFE,IIK Internal Audit, Risk and Compliance Strathmore University
More informationFinancial CISM. Certified Information Security Manager (CISM) Download Full Version :
Financial CISM Certified Information Security Manager (CISM) Download Full Version : http://killexams.com/pass4sure/exam-detail/cism required based on preliminary forensic investigation, but doing so as
More informationChapter 7 Forensic Duplication
Chapter 7 Forensic Duplication Ed Crowley Spring 10 Topics Response Strategies Forensic Duplicates and Evidence Federal Rules of Evidence What is a Forensic Duplicate? Hard Drive Development Forensic Tool
More informationDigital Forensics Lecture 02- Disk Forensics
Digital Forensics Lecture 02- Disk Forensics Hard Disk Data Acquisition Akbar S. Namin Texas Tech University Spring 2017 Analysis of data found on a storage device It is more common to do dead analysis
More informationCOMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs
COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS Frank Gearhart, ISSA Colorado Springs TECHNOLOGY + INVESTIGATION + STORYTELLING Know the case Find the evidence Follow the facts Create the timeline
More informationTest Results for Disk Imaging Tools: EnCase 3.20
JUNE 03 U.S. Department of Justice Office of Justice Programs National Institute of Justice Special REPORT Test Results for Disk Imaging Tools: U.S. Department of Justice Office of Justice Programs 810
More informationCOWLEY COLLEGE & Area Vocational Technical School
COWLEY COLLEGE & Area Vocational Technical School COURSE PROCEDURE FOR Student Level: This course is open to students on the college level in either the freshman or sophomore year. Catalog Description:
More informationOperating System Specification Mac OS X Snow Leopard (10.6.0) or higher and Windows XP (SP3) or higher
BlackLight is a multi-platform forensic analysis tool that allows examiners to quickly and intuitively analyze digital forensic media. BlackLight is capable of analyzing data from Mac OS X computers, ios
More informationNIST CFTT: Testing Disk Imaging Tools
NIST CFTT: Testing Disk Imaging Tools James R. Lyle National Institute of Standards and Technology Gaithersburg Md. 20899-8970 1. Introduction There is a critical need in the law enforcement community
More informationAcknowledgments About the Authors
Preface p. xv Acknowledgments p. xix About the Authors p. xxi Case Studies p. xxv Live Incident Response p. 1 Windows Live Response p. 3 Analyzing Volatile Data p. 5 The System Date and Time p. 6 Current
More informationPractice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6
Guidance Software GD0-110 Guidance Software GD0-110 Certification Exam for EnCE Outside North America Practice Test Version 1.6 QUESTION NO: 1 A FAT directory has as a logical size of: A. One cluster B.
More informationDigital Forensics Practicum CAINE 8.0. Review and User s Guide
Digital Forensics Practicum CAINE 8.0 Review and User s Guide Ana L. Hernandez Master of Science in Cybersecurity Digital Forensics Concentration University of South Florida 12-8-2017 Table of Contents
More informationMFP: The Mobile Forensic Platform
MFP: The Mobile Forensic Platform Abstract Digital forensics experts perform investigations of machines for triage to see if there is a problem, as well as to gather evidence and run analyses. When the
More informationDigital Forensics UiO
Digital Forensics UiO About Me I am: Eivind Utnes, M.Sc. I work for: Watchcom Security Group AS I work as: Information Security Consultant Security Audits Digital Forensics / Incident Response Education
More informationThis chapter gives an overview of how to manage a computing investigation.
UNDERSTANDING COMPUTER INVESTIGATIONS After reading this chapter and completing the exercises, you will be able to: Prepare a case Begin an investigation Understand computer forensics workstations and
More informationGuide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems
Guide to Computer Forensics and Investigations Fourth Edition Chapter 6 Working with Windows and DOS Systems Understanding Disk Drives Disk drives are made up of one or more platters coated with magnetic
More informationDigital Forensics UiO. Digital Forensics in Incident Management. About Me. Outline. Incident Management. Finding Evidence.
Digital Forensics UiO Outline Incident Management Digital Forensics Finding Evidence 3 About Me I am: Eivind Utnes, M.Sc. I work for: Watchcom Security Group AS I work as: Information Security Consultant
More informationExam Number/Code: Exam Name: Computer Hacking. Version: Demo. Forensic Investigator.
Exam Number/Code:312-49 Exam Name: Computer Hacking Forensic Investigator Version: Demo http://www.it-exams.com QUESTION NO: 1 When an investigator contacts by telephone the domain administrator or controller
More informationS23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group
S23: You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill Pankey, Tunitas Group You Have Been Hacked, But Where s the Evidence? A Quick Intro to Digital Forensics Bill
More informationMobile Devices Villanova University Department of Computing Sciences D. Justin Price Spring 2014
Mobile Devices Villanova University Department of Computing Sciences D. Justin Price Spring 2014 INTRODUCTION The field of computer forensics has long been centered on traditional media like hard drives.
More informationCIS Project 1 February 13, 2017 Jerad Godsave
CIS 484-75-4172 Project 1 February 13, 2017 Jerad Godsave Part 1) a) Below are a few screenshots indicating verification that the original evidence and the newly created.e01 forensic image match: Part
More informationWindows Core Forensics Forensic Toolkit / Password Recovery Toolkit /
The Windows Forensics Core Training follows up the AccessData BootCamp training. This advanced AccessData training class provides the knowledge and skills necessary to use AccessData products to conduct
More informationEC-Council Computer Hacking Forensics Investigator (CHFI) v9.0
Course Overview This course will provide participants the necessary skills to identify an intruders footprints and to properly gather the necessary evidence to prosecute in the court of law. Who Should
More informationForensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH
Forensics for Cybersecurity Pete Dedes, CCE, GCFA, GCIH WHO AM I? Pete Dedes, Forensics Analyst, Sword & Shield Enterprise Security Education Bachelor s of Science Computer Science, University of Tennessee
More informationIT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems
IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems 5.0 Introduction 1. What controls almost all functions on a computer? The operating system 5.1 Explain the purpose of an operating system 2.
More informationSSDD and SSDF Handset seizure Paraben * Seizure test SE K850, SE Xperia
SSDD and SSDF Handset seizure Paraben * Seizure test SE K850, SE Xperia Small Scale Digital Device (SSDD) SSDD definition A Small Scale Digital Device is any of a variety of small form factor devices utilizing
More informationNew Model for Cyber Crime Investigation Procedure
New Model for Cyber Crime Investigation Procedure * *Dept. of IT & Cyber Police, Youngdong University, Rep. of Korea ydshin@youngdong.ac.kr doi:10.4156/jnit.vol2.issue2.1 Abstract In this paper, we presented
More informationVendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo
Vendor: ECCouncil Exam Code: EC1-349 Exam Name: Computer Hacking Forensic Investigator Exam Version: Demo QUESTION 1 What is the First Step required in preparing a computer for forensics investigation?
More informationComputer forensics Aiman Al-Refaei
Computer forensics Aiman Al-Refaei 29.08.2006 Computer forensics 1 Computer forensics Definitions: Forensics - The use of science and technology to investigate and establish facts in criminal or civil
More informationFundamentals of Linux Platform Security
Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Fundamentals of Linux Platform Security Module 11 Introduction to Forensics Overview
More informationComputer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers
Computer Information Systems (CIS) CIS 101 Introduction to Computers This course provides an overview of the computing field and its typical applications. Key terminology and components of computer hardware,
More informationMachine Language and System Programming
زبان ماشين وبرنامه نويسی سيستم Machine Language and System Programming جلسه دوازدھم دانشگاه صنعتی ھمدان پاييز 1389 Objectives Explain the purpose and structure of file systems Describe Microsoft file structures
More informationDigital Forensics UiO
Digital Forensics UiO About Me I am: Eivind Utnes, M.Sc. I work for: Watchcom Security Group AS I work as: Head of Security Senior Information Security Consultant Security Audits Digital Forensics / Incident
More informationIndex. A agent notes worksheets, 168 aio file analysis dynamic analysis GNU debugger, , 362, 364. of recovered uncompressed aio binary,
Jones_index.qxd 8/29/2005 11:04 AM Page 637 Index A agent notes worksheets, 168 aio file analysis dynamic analysis GNU debugger, 358-360, 362, 364 of recovered uncompressed aio binary, 397-402, 408 overview,
More informationDigital Forensics UiO
About Me I am: Eivind Utnes, M.Sc. I work for: Watchcom Security Group AS Digital Forensics UiO I work as: Head of Security Senior Information Security Consultant Security Audits Digital Forensics / Incident
More informationA Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018
A Study on Linux 11/1/2018 Forensics By: Gustavo Amarchand, Keanu Munn, and Samantha Renicker Abstract In the field of computer forensics investigators must be familiar with many different systems and
More informationNCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition
NCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition Document Reference: Security Tools Internal NIAPC Submission NIAPC Category: Forensics Date Approved for Submission: 24-04-2007 Evaluation/Submission
More informationDigital Forensics Validation, Performance Verification And Quality Control Checks. Crime Scene/Digital and Multimedia Division
Validation, Performance Verification And Quality Control Checks 5. VALIDATION, PERFORMANCE VERIFICATION AND QUALITY CONTROL CHECKS 5.1. Purpose 5.1.1. The purpose of this procedure is to establish guidelines
More informationRunning head: FTK IMAGER 1
Running head: FTK IMAGER 1 FTK Imager Jean-Raymond Ducasse CSOL-590 June 26, 2017 Thomas Plunkett FTK IMAGER 2 FTK Imager Outline Process for Adding Individual Files & Folders as Evidence Items Although
More informationKNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer
KNOPPIX Bootable CD Validation Study for Live Forensic Preview of Suspects Computer By: Ernest Baca www.linux-forensics.com ebaca@linux-forensics.com Page 1 of 18 Introduction I have recently become very
More informationInstitute for Advanced Studies 16 th June 2010 Digital Triage
Institute for Advanced Studies 16 th June 2010 Digital Triage Mike Dickson Forensic Analyst SCDEA e-crime What Is Triage? Three Casualty States Those who are likely to live, regardless of what care they
More informationVISUAL CORRELATION IN THE CONTEXT OF POST-MORTEM ANALYSIS
VISUAL CORRELATION IN THE CONTEXT OF POST-MORTEM ANALYSIS Michael Hayoz and Ulrich Ultes-Nitsche Research group on telecommunications, networks & security Department of Informatics, University of Fribourg,
More informationDATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS
Chapter 15 DATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS Aswami Ariffin, Jill Slay and Kim-Kwang Choo Abstract Digital video recorders (DVRs) for closed-circuit television (CCTV) commonly have
More informationSelective deletion of non-relevant Data
Selective deletion of non-relevant Data Christian Zoubek, Konstantin Sack 23rd March 2017 Outline - Introduction - Selective deletion - Evaluation - Conclusion page 2 Motivation - In law enforcement investigations
More informationON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY
ON THE SELECTION OF WRITE BLOCKERS FOR DISK ACQUISITION: A COMPARATIVE PRACTICAL STUDY Mousa Al Falayleh College of Computer Info. Tech. American University in the Emirates Dubai, United Arab Emirates
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationScientific Working Group on Digital Evidence
Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by e-mail before or contemporaneous to the introduction of this document, or
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationIT010: CHFI: Computer Hacking Forensic & Investigation
IT010: CHFI: Computer Hacking Forensic & Investigation IT010 Rev.001 CMCT COURSE OUTLINE Page 1 of 17 Training Description: This course will provide participants the necessary skills to identify intruders
More informationComputer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition. Chapter 6 Linux Forensics
Computer Forensics: Investigating File and Operating Systems, Wireless Networks, and Storage, 2nd Edition Chapter 6 Linux Forensics Objectives After completing this chapter, you should be able to: Create
More informationDESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX
DESIGN AND IMPLEMENTATION OF A NETWORK FORENSICS SYSTEM FOR LINUX Hong-Ming Wang National Kaohsiung Normal University Kaohsiung, Taiwan alexwang24@gmail.com Chung-Huang Yang National Kaohsiung Normal University
More informationForensic Image Capture. Digital Forensics NETS1032 Winter 2018
Forensic Image Capture Digital Forensics NETS1032 Winter 2018 Storage Devices Storage devices are implemented using one or more of several technologies The oldest method of modern information storage is
More informationIntroduction to Volume Analysis, Part I: Foundations, The Sleuth Kit and Autopsy. Digital Forensics Course* Leonardo A. Martucci *based on the book:
Part I: Foundations, Introduction to Volume Analysis, The Sleuth Kit and Autopsy Course* Leonardo A. Martucci *based on the book: File System Forensic Analysis by Brian Carrier LAM 2007 1/12h Outline Part
More informationDIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING
17.09.24 DIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING FORENSICS FRAMEWORK FOR CLOUD COMPUTING OUTLINE Abstract Introduction Challenges in cloud forensics Proposed solution Conclusion Opinion
More informationUnit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15
Unit 49: Digital Forensics Unit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15 Aim To provide learners with an understanding of the principles of digital forensics and the impact on
More informationSECURE, AUDITED PROCESSING OF DIGITAL EVIDENCE: FILESYSTEM SUPPORT FOR DIGITAL EVIDENCE BAGS
i ii SECURE, AUDITED PROCESSING OF DIGITAL EVIDENCE: FILESYSTEM SUPPORT FOR DIGITAL EVIDENCE BAGS Golden G. Richard III and Vassil Roussev Department of Computer Science, University of New Orleans New
More informationDIS10.3:CYBER FORENSICS AND INVESTIGATION
DIS10.3:CYBER FORENSICS AND INVESTIGATION ABOUT DIS Why choose Us. Data and internet security council is the worlds top most information security certification body. Our uniquely designed course for information
More informationDigital Forensics. Module 6 CS 996
Digital Forensics Module 6 CS 996 Module #5 Covered B of A case; corporate responsibility for security New security standards: NIST 800-53 and ITIL Another new security standard: ISF Standard of Good Practice
More informationImplementing Hard Drives
Implementing Hard Drives Chapter 12 Overview In this chapter, you will learn how to Explain the partitions available in Windows Discuss hard drive formatting options Partition and format hard drives Maintain
More informationECCouncil Computer Hacking Forensic Investigator (V8)
ECCouncil 312-49v8 ECCouncil Computer Hacking Forensic Investigator (V8) Version: 9.0 QUESTION NO: 1 ECCouncil 312-49v8 Exam What is the First Step required in preparing a computer for forensics investigation?
More informationIncident Response & Forensic Best Practice. Cyber Attack!
Incident Response & Forensic Best Practice Cyber Attack! Overview Incident Response Forensic Requirement / Evidence Handling Investigative Steps Log Interpretation Advanced Correlation For Traceability
More informationCIS Business Computer Forensics and Incident Response. Lab Protocol 03: Acquisition
CIS 8630 Business Computer Forensics and Incident Response Lab Protocol 03: Acquisition Purpose: Ensure every student has experienced imaging digital storage media, hashing digital media, transferring
More informationUsing Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer. By:
Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer By: Ernest Baca ebaca@linux-forensics.com www.linux-forensics.com Page 1 of 7 Introduction: Since beginning my
More informationForensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003
SecurityFocus HOME Infocus: Forensics on the Windows Platform, Part Two 2003-02-17 12:56:05-0900 SFOnline Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003 Introduction
More informationForensic Toolkit System Specifications Guide
Forensic Toolkit System Specifications Guide February 2012 When it comes to performing effective and timely investigations, we recommend examiners take into consideration the demands the software, and
More informationReviewing the Results of the Forensic Analysis
CYBERSECURITY FORENSICS WORKSHOP Reviewing the Results of the Forensic Analysis Ian M Dowdeswell Incident Manager, Q-CERT 2 CYBERSECURITY FORENSICS WORKSHOP Caveats This is not an actual crime it has been
More informationInvestigations and Incident Response Using BackTrack
Investigations and Incident Response Using BackTrack HTCIA New England Chapter General Meeting September 22, 2009 Ming Chow Tufts University mchow@cs.tufts.edu http://www.cs.tufts.edu/~mchow 1 Introduction
More informationCSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems
CSE 4482 Computer Security Management: Assessment and Forensics Computer Forensics: Working with Windows and DOS Systems Instructor: N. Vlajic,, Fall 2010 Required reading: Guide to Computer Forensics
More informationBackup challenge for Home Users
PARAGON Technologie GmbH, Systemprogrammierung Heinrich-von-Stephan-Str. 5c 79100 Freiburg, Germany Tel. +49 (0) 761 59018201 Fax +49 (0) 761 59018130 Internet www.paragon-software.com Email sales@paragon-software.com
More information