This preview shows page 1. Sign up to view the full content.
Unformatted text preview: Practical Application of Computer Forensics
Lisa Outlaw, CISA, CISSP, ITIL Certified Lisa Overview Overview Definition of Computer Forensics Computer Forensics & IT Auditing Why We Need Computer Forensics Why The Process (Do’s & Don’ts) Identification Collection of Evidence Required Documentation Imaging Examination Report Preparation Returning of Evidence Definition of Computer Forensics Definition Computer forensics involves the: Identification Collection Preservation Examination, and Analysis of digital information Digital Information becomes Digital Evidence What is Digital Evidence? What Digital evidence is any information of Digital value that is either stored or transmitted in a binary form, including digital audio, image, and video. image, Computer Forensic Examination Computer The Computer forensic examination is: Locating digital evidence Evidence can withstand close scrutiny or a legal challenge. Computer Forensics & IT Audit Computer Incorporate computer forensic services Incorporate Cases are requiring computer forensics IT Auditors have:
authority authority technical know how Reasons for Computer Forensic Services Computer
Inappropriate Use of State Systems Determining a Security Breach Detection of Disloyal Employees Detection Evidence for Disputed Dismissals Malicious File Identification Malicious Theft of Information Assets Forgeries of Documents The Process The
(1)Identification (2)Collection of Evidence (3)Required Documentation (4)Imaging (5)Examination (6)Report Preparation (7)Returning of Evidence Identification Identification
IT AUDITOR’S ROLE (Forensic Specialist)
1. Determine if reason for computer forensics is appropriate. 2. Identify where additional digital evidence may reside. CLIENT’S ROLE (ex. State University)
1. Determine when to use Computer Forensic Services: 2. Identify where digital evidence may reside. Collection of Evidence Collection
• IT AUDITOR’S ROLE • CLIENT’S ROLE
– Help Client Secure the computer to be examined – Require and Complete Necessary Forms – Securely Collect Computer from Client – Ensure that computer to be examined remains secure until collected – Notify Appropriate Personnel – Complete Chain of Custody Form Collection of Evidence – (Do's & Don'ts) (Do's Do not disturb the computer in question. Do Collection of Evidence – Collection Do's & Don'ts (con’t) Do's Computer is off, Leave it off Computer Collection of Evidence – Collection Do's & Don'ts (con’t) Do's Computer is on, Leave it on Computer Collection of Evidence – Collection Do's & Don'ts (con’t) Do's Do not run any programs on the computer. computer. Collection of Evidence – Collection Do's & Don'ts (con’t) Do's Do not make any changes Do Collection of Evidence – Collection Do's & Don'ts (con’t) Do's Do Not Insert Anything Into The Computer Computer Collection of Evidence – Collection Do's & Don'ts (con’t) Do's Secure the computer Secure Required Documentation Required Computer Forensic Request Form Computer Chain of Custody Form Signatures Signatures Disclosures and Disclaimers Disclosures Required Documentation Required Required Documentation Required IT Auditor’s Role Client’s Role Assign a Case Number Assign A Team Date & Time When device was secured Document Date & Time of Request Name of Requestor Date & Time Client secured the device Agency Name Head of the Agency Name IT Auditor’s Role Document Hard Drive Serial Numbers Required Documentation Required
Document computers: Mac Address Static IP Address Serial Number Make & Model Reason For Request Desired Objectives Approval From OSA ISA Director & Legal Counsel Legal We also obtain approval from both the ISA We director and legal counsel before commencing Computer Forensic services. This approval will be documented on the This requisition forms and filed with the case evidence as well. evidence Required Documentation
IT Auditor’s Role Sign and Date form Obtain Director and Legal Counsel approval Client’s Role Sign and Date form Obtain Agency Head Approval Additional Chain of Custody Form Chain of Custody form continued on the reverse side of the computer forensic request form.
FAS Model Device Serial# Make Signature Print Name Reason Date Time Relinquished By: Received By: Why Are These Documents Necessary? Necessary? Collect important information Legal Aspects Get out of jail free card Imaging Imaging
• IT AUDITORS ROLE • CLIENTS ROLE – escort our staff to – Determine where to physically collect perform the image: the computer from – Onsite the computer’s – In the Lab secure location. Hardware Imaging Imaging Imaging Here are some of the procedures we use Here during imaging to ensure that evidence collected is clearly identified and preserved: collected Scan Hardcopies Scan We scan all hardcopy forms to PDF and this electronic We copy is kept with the images of the evidence. copy Tag Evidence Tag We manually tag all evidence items with an assigned case number using the following naming convention: Case Number and Hard Drive Serial Number (Ex., 01200804Agency Name – HDD Serial#) Connect Suspect Drive to Write Blocker Connect Connect Write Blocker to the suspects hard drive the Imaging Regular Hard Drive Imaging To image a regular sized hard drive, implement the following procedures: Request the client to purchase a storage device. Reduces Cost Ensure enough space is available to process the evidence. Easy transfer of images to client Storage Device Storage • Organize Evidence Information Organize Create the following folders on the destination drive for every case: Case NameEvidence Item Number (Folder)
1. Evidence (subfolder) 1. HDD1 (subfolder) 2. HDD2 (subfolder) Export (subfolder) 2. Temp (subfolder) 3. Index (subfolder) 4. Drive Geometry (subfolder) 5. Report (subfolder) 6. Case Backup (subfolder) Place all images produced in the Evidence Folder
1. Use FTK Imager Create the image using FTK imager Through experience, we have found this to be one of the Through easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Image Physical Drive Image Always image the Physical drive. Imaging A Raid Server Imaging Redundant Array of Inexpensive Disks Have the systems administrator to help you review the RAID information. You need to gather the following information: Stripe Size Element Order (Disk Order) Element Size, whether it is a RAID 1, 5, etc. Right hand, left hand, forward, back, or dynamic disk. Imaging A Raid Server (con’t) Imaging RAID Recontructor Examination/Analysis Examination/Analysis Remove hard drive from the Write Block device. Reassemble the computer Ensure evidence remains tagged. Examination/Analysis (con’t) Examination/Analysis FTK Examination/Analysis (con’t) Examination/Analysis FTK can take a few days to process your image. During this time, we return to our normal audit work Examination/Analysis (con’t) Examination/Analysis Run Keyword Searches Obtain from Client Review Corroborating Evidence Emails Surveillance Video DVD & CDs Examination/Analysis (con’t) Examination/Analysis Encase Examination/Analysis (con’t) Examination/Analysis Do not answer or Provide additional information to agency personnel. Agency personnel can accidentally leak information. Forensic Report Forensic The IT Auditor will issue a report to appropriate personnel once the examination is completed. If court action is anticipated, inform If Agency Head to preserve the original evidence if possible. evidence If original evidence cannot be preserved, If NC Court Rules of evidence allow for the image to be admitted as evidence. Questions???? Questions???? ...
View Full Document
This note was uploaded on 04/06/2011 for the course CS 6963 taught by Professor Walterbruehs during the Spring '10 term at NYU Poly.
- Spring '10