Professional Documents
Culture Documents
Investigation
Digital Forensics
Digital Investigation
Focuses on a digital device
Computer
Router
Switch
Cell-phone
SIM-card
Kindle
…
Digital Forensics
Digital Investigation
Focuses on a digital device involved in an incident or crime
Computer intrusion
Generic criminal activity
Perpetrator uses internet to gather information used in the perpetration of a crime.
Digital device is an instrument of a crime
Perpetrator uses cell-phone to set-off a bomb.
Email scams
Internet auction fraud
Crimeware
Computer is used for intrusion of another system
Botnet
Digital Forensics
Digital Investigation
Has different goals
Prevention of further intrusions.
Goal is to reconstruct modus operandi of intruder to prevent further
intrusions.
Assessment of damage.
Goal is to certify system for safe use.
Reconstruction of an incident.
For criminal proceedings.
For organization-internal proceedings.
Digital Forensics
Digital Investigation
Process where we develop and test hypotheses that answer questions about digital events.
We can use an adaptation of the scientific method where we establish hypotheses based on findings and
then (if possible) test our hypotheses against findings resulting from additional investigations.
Digital Forensics
Evidence
Procedural notion
That on what our findings are based.
Legal notion
Defined by the “rules of evidence”
Differ by legislation
Forensics
Used in the “forum”, especially for judicial proceedings.
Definition: relating to or denoting the application of scientific methods and techniques to the
investigation of crime.
In this case cyber crime
Computer Forensics
Nonhearsay: Records created by a process that does not involve a human assertion
Telephone toll records
Cell tower logs
Embedded GPS data
ATM records
Web server logs
Nonhearsay records:
Are not human statements
Result from a program designed to process information
Either: There is no person involved
Or: The human conduct is non-assertive
Issue is Authentication
Is the computer equipment and software functioning
Nature of Computer Evidence
While computer evidence often falls under the business record exception for hearsay,
Mostly is nonhearsay
The real question is authentication
Does the evidence says what it purports to say?
Expectations of Privacy
Stems from the customs of the society.
Is an ethical right.
Is legally protected.
Can be modified or removed by company policy.
Ethical and Legal Requirements
for Collecting Evidence
Degrees of Volatility
1. Memory
2. Running processes
3. Network state
4. Permanent Storage Devices
Reacting to Volatility
Plan
What evidence are you looking for.
Where can it be found.
How do you get it.
Reacting to Volatility
Graceful shutdown
Destroys volatile evidence.
Alters system files.
Allows for clean-up software to run.
Reacting to Volatility
Life Examination
Intruder with root privileges can watch.
System tools can be trojaned incl. booby-trapped
Use forensics tools on floppy / CD.
Does not work if system is root-kitted
Reacting to Volatility