Computer forensics Aiman Al-Refaei

Similar documents
When Recognition Matters WHITEPAPER CLFE CERTIFIED LEAD FORENSIC EXAMINER.

Certified Digital Forensics Examiner

Certified Digital Forensics Examiner

A Road Map for Digital Forensic Research

Financial CISM. Certified Information Security Manager (CISM) Download Full Version :

Incident Handling. Road Map. Week 4: Incidents, Evidence and the Law. Types of Evidence. Digital Evidence. Characteristics of Evidence

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Incident Response Data Acquisition Guidelines for Investigation Purposes 1

THE INTERNATIONAL INSTITUTE OF CERTIFIED FORENSIC ACCOUNTANTS, INC. USA. CERTIFIED IN FRAUD & FORENSIC ACCOUNTING (Cr.

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs

Incident Handling. Week 4: Incidents, Evidence and the Law

Digital Forensics for Attorneys

e-discovery Forensics Incident Response

DIGITAL EVIDENCE TOOL BOX

Information Security Incident Response Plan

Educating Judges, Prosecutors and Lawyers in the Use of Digital Forensic Experts

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

Data Breach Preparation and Response. April 21, 2017

Information Security Incident Response Plan

Guide for Minimum Qualifications and Training for a Forensic

OHLONE COLLEGE Ohlone Community College District OFFICIAL COURSE OUTLINE

Professional Training Course - Cybercrime Investigation Body of Knowledge -

Responding to Cybercrime:

SPECIAL ISSUE, PAPER ID: IJDCST-09 ISSN

DIGITAL FORENSICS FORENSICS FRAMEWORK FOR CLOUD COMPUTING

Data Preservation Checklists

EXPERT WITNESS: Completion of a perfect circle

COMPUTER FORENSICS (CFRS)

Computer Forensics US-CERT

Credit Card Data Compromise: Incident Response Plan

Guiding principles on the Global Alliance against child sexual abuse online

ATHABASCA UNIVERSITY

Digital Forensics UiO

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Digital Forensics UiO. Digital Forensics in Incident Management. About Me. Outline. Incident Management. Finding Evidence.

BIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest

Guest on Digital Forensics April André Årnes, PhD

Introduction to Computer Forensics

THINGS YOU NEED TO KNOW BEFORE DELVING INTO THE WORLD OF DIGITAL EVIDENCE. Roland Bastin Partner Risk Advisory Deloitte

Unit code: D/601/1939 QCF Level 5: BTEC Higher National Credit value: 15

IMS5002 Information Systems Security

Security Incident Investigation

Contingency Planning

New Model for Cyber Crime Investigation Procedure

CLOUD FORENSICS : AN OVERVIEW. Kumiko Ogawa

DIGITAL FORENSICS. We Place Digital Evidence at Your Fingertips. Cyanre is South Africa's leading provider of computer and digital forensic services

Digital Forensics UiO

Digital Forensics UiO

TEL2813/IS2820 Security Management

Incident Response & Evidence Management

Forensic Analysis Approach Based on Metadata and Hash Values for Digital Objects in the Cloud

Incident Response & Forensic Best Practice. Cyber Attack!

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form BOSNIA AND HERZEGOVINA. Policy Target No. 1

Employee Privacy, Digital Evidence, and the CFE. Kenneth C. Citarella, M.B.A., J.D., CFE Managing Director, Investigations Guidepost Solutions LLC

Forensics for Cybersecurity. Pete Dedes, CCE, GCFA, GCIH

- To aid in the investigation by identifying. - To identify the proper ISP, webhosting. - To use in search warrant affidavits for to

Trends in Mobile Forensics from Cellebrite

Reviewing the Results of the Forensic Analysis

CYBERCRIME AS A NEW FORM OF CONTEMPORARY CRIME

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Scientific Working Groups on Digital Evidence and Imaging Technology

Global Cybercrime Certification

DATA RECOVERY FROM PROPRIETARY- FORMATTED CCTV HARD DISKS

Safeguarding Unclassified Controlled Technical Information

Certification. Forensic Certification Management Board. Robert J. Garrett, Director

Understanding Computer Forensics

COMPUTER HACKING Forensic Investigator

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

Chapter 4 After Incident Detection

Legal, Ethical, and Professional Issues in Information Security

A Criminal Intrudes into a Bank in Geneva Korean agents. Canadian agents make the arrest. Argentinian investigators. discover. attack came from Seoul

ITU Model Cybercrime Law: Project Overview

After the Attack. Business Continuity. Planning and Testing Steps. Disaster Recovery. Business Impact Analysis (BIA) Succession Planning

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

Federal Rules of Civil Procedure IT Obligations For

Making a Victim Personal Statement. You have a voice in the criminal justice system and have a right to explain how the crime has affected you

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

The Forensic Chain-of-Evidence Model: Improving the Process of Evidence Collection in Incident Handling Procedures

Cleveland State University General Policy for University Information and Technology Resources

The Trustworthiness of Digital Records

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Legal Foundation and Enforcement: Promoting Cybersecurity

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Scientific Working Group on Digital Evidence

Cellular Site Simulator Usage and Privacy

Certified Cyber Security Analyst VS-1160

CCTV Privacy Impact Assessment

Certified Information Systems Auditor (CISA)

Syllabus. Course Title: Cyber Forensics Course Number: CIT 435. Course Description: Prerequisite Courses: Course Overview

Information Security in Corporation

RMU-IT-SEC-01 Acceptable Use Policy

M.S. IN INFORMATION ASSURANCE MAJOR: CYBERSECURITY. Graduate Program

Applications for Preservation and Production in our Digital World

Gujarat Forensic Sciences University

Organization of Scientific Area Committees for Forensic Science (OSAC)

COWLEY COLLEGE & Area Vocational Technical School

FORENSIC LABORATORY DEVELOPMENT AND MANAGEMENT: INTERNATIONAL BEST PRACTICES BY AGWEYE, BENEDICT HEAD OF FORENSICS, EFCC

Transcription:

Computer forensics Aiman Al-Refaei 29.08.2006 Computer forensics 1

Computer forensics Definitions: Forensics - The use of science and technology to investigate and establish facts in criminal or civil courts of law. Computer Forensics - Commonly defined as the collection, preservation, analysis and court presentation of computer-related evidence. 29.08.2006 Computer forensics 2

Computer forensics Proper Acquisition and Preservation of Computer Evidence. Authentication of Collected Data for Court Presentation. Recovery of All Available Data, Including delete files. 29.08.2006 Computer forensics 3

Computer Forensics scope and characteristics Scope: The collection and search of specific data that will serve as acceptable evidence in a court of law. Computer Forensics deals with: storage media (e.g. hard disks), the examination and analysis of network logs. 29.08.2006 Computer forensics 4

Incidents Incident: any security relevant adverse event that might threaten the security of a computer system or a network. An event must have observable and recordable characteristics: The connection to a system via a network, The file access, System shutdown, etc. 29.08.2006 Computer forensics 5

Security Incident Security Incident People/Organization Policies Technologies Processes 29.08.2006 Computer forensics 6

Types of Incidents Most incidents point towards: Confidentiality, Integrity, Availability. Different types of incidents: Repudiation, Harassment, Pornography trafficking, Organized crime activity, Subversion. 29.08.2006 Computer forensics 7

Incident Response Incident Response is a new field with similar goals as IT Security. Scope: to negate or minimize the impact of an incident, reacting by taking certain actions. It can be used to restore confidentiality, integrity, and availability. A particular important part of the legal side of incident response is the area of forensics 29.08.2006 Computer forensics 8

Why is Evidence important? In the legal world, Evidence is EVERYTHING. Evidence is used to establish facts. The Forensic Examiner is not biased. Evidence must be: Scientifically sound. Legally accepted. 29.08.2006 Computer forensics 9

Types of Evidence Inculpatory Evidence Supports a given theory Exculpatory Evidence Contradicts a given theory Evidence of Tampering Shows that the system was tampered with to avoid identification 29.08.2006 Computer forensics 10

Rules of Evidence Complete Authentic Admissible Reliable Believable 29.08.2006 Computer forensics 11

Who needs Computer Forensics? The Victim! Law Enforcement Insurance Carriers Legal System 29.08.2006 Computer forensics 12

Who are the Victims? Private Business Government Private Individuals 29.08.2006 Computer forensics 13

29.08.2006 Computer forensics 14

29.08.2006 Computer forensics 15

Reasons for a Forensic Analysis ID the perpetrator. ID the method of the network that allowed the perpetrator to gain access into the system. Conduct a damage assessment of the victimized network. Preserve the Evidence for Judicial action. 29.08.2006 Computer forensics 16

Forensics Process Acquisition. Identification Technical Analysis. Evaluation What the Lawyers Do. Presentation. 29.08.2006 Computer forensics 17

Acquisition: Track or Observe a Live Intruder? Assess Extent of Live Intrusion? Preserve Evidence for Court? Close the Holes and Evict the Unwanted Guest? Support for Police Arrest? Support for Court Ordered Subpoena? 29.08.2006 Computer forensics 18

Identification: Physical Context: Exhibit A Seagate 4GB HD Logical Context: identified as /dev/hda1 mounted as / file:/etc/hosts.equiv Presentation/Use Context: /etc/hosts.equiv is used to control access to the system Opinion to support relevance of findings: a + was found appended to the end of this file Handling and labeling of objects submitted for forensic analysis is key. Following a documented procedure is key. 29.08.2006 Computer forensics 19

Evaluation: This is what lawyers (or those concerned with the case) do. Basically, determine relevance. Presentation of findings is key in this phase. Findings submitted for evaluation as evidence will not only be evaluated for validity but for chain of custody problems. 29.08.2006 Computer forensics 20

Presentation: Some findings will not be evaluated to be worthy of presentation as evidence. Few findings will need to withstand rigorous examination by another expert witness. The evaluator of evidence may be expected to defend their methods of handling the evidence being presented. The Chain of Custody may be challenged 29.08.2006 Computer forensics 21

Thank you 29.08.2006 Computer forensics 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback