Published on November 19, 2009
Security Technology Forum - CSI Security Technology forum will operate to provide a knowledge sharing forum and also provide a platform for research in emerging technology in the area of Security for Members of CSI. Vision is to make India safe and secure by use of technology. Mission is to enable Indian technology professionals to understand world class security technology by effectively developing and sharing knowledge assets and best practices.
Contents of the Interaction Concept of Forensic Need & Purpose of Forensic Computer Forensic Role of IT for Forensic Data Collection / Mining Tools Data Analysis & Reporting Fraud Detection & Auditing
Forensics – Forensic Science Forensic science (often shortened to forensics) is the application of a broad spectrum of sciences to answer questions of interest to a legal system. This may be in relation to a crime or a civil action. Besides its relevance to a legal system, more generally forensics encompasses the accepted scholarly or scientific methodology and norms under which the facts regarding an event, or an artifact, or some other physical item (such as a corpse) are ascertained as being the case. In that regard the concept is related to the notion of authentication, whereby an interest outside of a legal form exists in determining whether an object is what it purports to be, or is alleged as being.
Computer Forensic The goal of computer forensics is to explain the current state of a digital artifact. The term digital artifact can include a computer system, a storage medium (such as a hard disk or CD-ROM), an electronic document (e.g. an email message or JPEG image) or even a sequence of packets moving over a computer network. The field of computer forensics also has sub branches within it such as firewall forensics, network forensics, database forensics and mobile device forensics.
Simplified Understanding Forensic = Postmortem Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis Recovering Information the naked eye can no longer see.
Need for Computer Forensic Techniques Evidence might be required for a wide range of computer crimes and misuses. The Need for deploying Computer forensic can be In legal cases, computer forensic techniques are frequently used to analyze computer systems belonging to defendants (in criminal cases) or litigants (in civil cases). To recover data in the event of a hardware or software failure. To analyze a computer system after a break-in, for example, to determine how the attacker gained access and what the attacker did. To gather evidence against an employee that an organization wishes to terminate. To gain information about how computer systems work for the purpose of debugging, performance optimization, or reverse-engineering.
Reasons For Evidence Wide range of computer crimes and misuses Non-Business Environment: evidence collected by Federal, State and local authorities for crimes relating to: Theft of trade secrets Fraud Extortion Industrial espionage Position of pornography SPAM investigations Virus/Trojan distribution Homicide investigations Intellectual property breaches Unauthorized use of personal information Forgery Perjury
Reasons For Evidence (cont) Computer related crime and violations include a range of activities including: Business Environment: Theft of or destruction of intellectual property Unauthorized activity Tracking internet browsing habits Reconstructing Events Inferring intentions Selling company bandwidth Wrongful dismissal claims Sexual harassment Software Piracy
Who Uses Computer Forensics? Criminal Prosecutors Rely on evidence obtained from a computer to prosecute suspects and use as evidence Civil Litigations Personal and business data discovered on a computer can be used in fraud, divorce, harassment, or discrimination cases Insurance Companies Evidence discovered on computer can be used to mollify costs (fraud, worker’s compensation, arson, etc) Private Corporations Obtained evidence from employee computers can be used as evidence in harassment, fraud, and embezzlement cases
Steps Of Computer Forensics According to many professionals, Computer Forensics is a four (4) step process Acquisition Physically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices Identification This step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites
Steps Of Computer Forensics (cont) According to many professionals, Computer Forensics is a four (4) step process Evaluation Evaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court Presentation This step involves the presentation of evidence discovered in a manner which is understood by lawyers, non-technically staff/management, and suitable as evidence as determined by United States and internal laws
Handling Information Information and data being sought after and collected in the investigation must be properly handled Volatile Information Network Information Communication between system and the network Active Processes Programs and daemons currently active on the system Logged-on Users Users/employees currently using system Open Files Libraries in use; hidden files; Trojans (rootkit) loaded in system
Handling Information (cont) Non-Volatile Information configuration settings system files registry settings that are available after reboot Accessed through drive mappings from system This information should investigated and reviewed from a backup copy
Anti-Forensics Software that limits and/or corrupts evidence that could be collected by an investigator Performs data hiding and distortion (HPA & Logic Bombs) Exploits limitations of known and used forensic tools Works both on Windows and LINUX based systems In place prior to or post system acquisition
Evidence Processing Guidelines Steps of processing evidence Step 1: Shut down the computer Considerations must be given to volatile information Prevents remote access to machine and destruction of evidence (manual or ant-forensic software) Step 2: Document the Hardware Configuration of The System Note everything about the computer configuration prior to re-locating
Evidence Processing Guidelines (cont) Step 3: Transport the Computer System to A Secure Location Do not leave the computer unattended unless it is locked in a secure location Step 4: Make Bit Stream Backups of Hard Disks and Floppy Disks Step 5: Mathematically Authenticate Data on All Storage Devices Must be able to prove that you did not alter any of the evidence after the computer came into your possession Step 6: Document the System Date and Time Step 7: Make a List of Key Search Words Step 8: Evaluate the Windows Swap File
Evidence Processing Guidelines (cont) Step 9: Evaluate File Slack File slack is a data storage area of which most computer users are unaware; a source of significant security leakage. Step 10: Evaluate Unallocated Space (Erased Files) Step 11: Search Files, File Slack and Unallocated Space for Key Words Step 12: Document File Names, Dates and Times Step 13: Identify File, Program and Storage Anomalies Step 14: Evaluate Program Functionality Step 15: Document Your Findings Step 16: Retain Copies of Software Used
Methods deployed Discovering Data on Computer System Recovering deleted, encrypted, or damaged file information Monitoring live activity Detecting violations of corporate policy
Fraud A fraud is an intentional deception made for personal gain or to damage another individual. The specific legal definition varies by legal jurisdiction. Fraud is a crime, and is also a civil law violation. Many hoaxes are fraudulent, although those not made for personal gain are not technically frauds. Defrauding people of money is presumably the most common type of fraud
Fraud – Fast Facts Not aligning with the norm Use of deception & misrepresentation to obtain an unjust advantage
Not aligning with the norm
Use of deception & misrepresentation to obtain an unjust advantage
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
Business Intelligence and ... With a variety of purpose-built tools, ... cost and implementation time as compared with traditional BI/analytic ...
Tableau can help anyone see and understand their data. Connect to almost any database, drag and drop to create visualizations, and share with a click.
Business intelligence with brains and brawn. Identify and share insights and performance metrics based on foresight, not hindsight. We've combined BI tools ...
Business Intelligence (BI) ... is software that is designed to analyze business data to better understand an organization's strengths and weaknesses. ...
View 3169 Business Intelligence, It, Bi posts, presentations, experts, and more. ... Analista de Business Intelligence at IT & BI Consulting Past
Knowledge Management Applied to Forensic ... KM practices such as Business Intelligence tools and ... to Business Intelligence (BI) ...
Computer Forensic Examiner at San Diego Regional Computer Forensics Lab, Computer Forensic ... computer forensic tools ... Business Intelligence (BI) Tools ...
... business intelligence; BI; MySQL; store procedure; extractor; ETL; ... e.g. a computer. ... considering that digital forensic tools
... Computer Forensics ... BIA began as an information security consulting firm with a software and tools division that was composed of senior ...