Incident documentation
Documentation is needed to provide evidence and for post-
incidence review
Some sources of evidence/documentation come from video
surveillance systems, electronic security monitoring systems,
handwritten journals, service logs, telephone logs, interviews,
etc.
C4DLab
Develop an incident timeline
Each event must be supported by the original documents – this is
crucial
Sources of Information
Help desk logs
Network logs
System logs
Administration logs
Physical access logs
Accounting logs
C4DLab
Audit logs
Security logs
Backups
Staff clock logs
Staff
Computer forensics investigations
C4DLab
Computer forensics investigations
•
Electronic record :
any data that is recorded or preserved on any
medium in or by a computer system or other similar device, that
can be read or perceived by a person or a computer system or
other similar device. It includes a display, printout or other
output of that data.
•
Computer Forensics:
Computer forensics is the scientific
examination and analysis of data held on, or retrieved from,
C4DLab
computer storage media in such a way that the information can
be used as evidence in a court of law.
•
Anti-forensics
is the process of cybercriminals getting into a
targeted environment and hacking the forensics tools
themselves.
Computer forensics investigations &
Incident handling
•
Handling data under investigation
–
For hand held devices, mobile phones
–
For computers, servers and laptops
–
Any other computing devices
C4DLab
Computer forensics investigations:
Some history
•
Early in 1970’s students discovered how to gain
unauthorized access to large timeshared computer
systems.
•
1978 the Florida Computer Crime Act was the 1st law
to help deal with computer fraud and intrusion.
C4DLab
Employees at a dog track used a computer to print
fraudulent winning tickets. The act also defined all
unauthorized access as a crime.
•
1984 US Federal Computer Fraud and Abuse Act was
passed. (Morris Worm 1988)
Properties of digital evidence
•
Digital evidence is any data stored or
transmitted using a computer that supports
or refutes a theory of how an offense
occurred or that addresses critical elements
of the offense such as intent or alibi. (
Casey,
C4DLab
Eoghan. Digital Evidence and Computer Crime, p12
)
•
Extremely fragile, similar to a fingerprint.
Properties of digital evidence
•
“Latent” : it can not been seen in it’s natural state,
much like DNA.
–
Any actions that can alter, damage or destroy digital
evidence will be scrutinized by the courts.
C4DLab
•
Is often constantly changing and can be very time
sensitive
•
Can transcend borders with ease and speed
Recognizing Potential Evidence
There are many ways:
1. Contraband or fruits of a crime
–
Stolen Computer Equipment
–
Stolen Software
2. A tool of the offense
C4DLab
–
Theft committed using computer
–
Fraud committed using computer
–
E-mail sent from a computer
–
Sex offense committed after being arranged on computer
–
Fraudulent money or ID’s made with computer
Recognizing Potential Evidence (cnt)
3. Only incidental to the offense
–
You've reached the end of your free preview.
Want to read all 85 pages?
- Winter '19
- Computer Security
