Incident documentation Documentation is needed to provide evidence and for post- incidence review Some sources of evidence/documentation come from video surveillance systems, electronic security monitoring systems, handwritten journals, service logs, telephone logs, interviews, etc. C4DLab Develop an incident timeline Each event must be supported by the original documents – this is crucial
Sources of Information Help desk logs Network logs System logs Administration logs Physical access logs Accounting logs C4DLab Audit logs Security logs Backups Staff clock logs Staff
Computer forensics investigations C4DLab
Computer forensics investigations • Electronic record : any data that is recorded or preserved on any medium in or by a computer system or other similar device, that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. • Computer Forensics: Computer forensics is the scientific examination and analysis of data held on, or retrieved from, C4DLab computer storage media in such a way that the information can be used as evidence in a court of law. • Anti-forensics is the process of cybercriminals getting into a targeted environment and hacking the forensics tools themselves.
Computer forensics investigations & Incident handling • Handling data under investigation – For hand held devices, mobile phones – For computers, servers and laptops – Any other computing devices C4DLab
Computer forensics investigations: Some history • Early in 1970’s students discovered how to gain unauthorized access to large timeshared computer systems. • 1978 the Florida Computer Crime Act was the 1st law to help deal with computer fraud and intrusion. C4DLab Employees at a dog track used a computer to print fraudulent winning tickets. The act also defined all unauthorized access as a crime. • 1984 US Federal Computer Fraud and Abuse Act was passed. (Morris Worm 1988)
Properties of digital evidence • Digital evidence is any data stored or transmitted using a computer that supports or refutes a theory of how an offense occurred or that addresses critical elements of the offense such as intent or alibi. ( Casey, C4DLab Eoghan. Digital Evidence and Computer Crime, p12 ) • Extremely fragile, similar to a fingerprint.
Properties of digital evidence • “Latent” : it can not been seen in it’s natural state, much like DNA. – Any actions that can alter, damage or destroy digital evidence will be scrutinized by the courts. C4DLab • Is often constantly changing and can be very time sensitive • Can transcend borders with ease and speed
Recognizing Potential Evidence There are many ways: 1. Contraband or fruits of a crime – Stolen Computer Equipment – Stolen Software 2. A tool of the offense C4DLab – Theft committed using computer – Fraud committed using computer – E-mail sent from a computer – Sex offense committed after being arranged on computer – Fraudulent money or ID’s made with computer
Recognizing Potential Evidence (cnt) 3. Only incidental to the offense –
You've reached the end of your free preview.
Want to read all 85 pages?
- Winter '19
- Computer Security