COEN 252 Computer Forensics Introduction to Computer Forensics

COEN 252 Computer Forensics Introduction to Computer Forensics Thomas Schwarz, S. J. 2013

Computer Forensics n Digital Investigation n Focuses on a digital device n n n n Computer Router Switch Cell-phone SIM-card Kindle …

Computer Forensics n Digital Investigation n Focuses on a digital device involved in an incident or crime n n Computer intrusion Generic criminal activity n n Perpetrator uses internet to gather information used in the perpetration of a crime. Digital device is an instrument of a crime n n n Perpetrator uses cell-phone to set-off a bomb. Email scams Internet auction fraud Crimeware Computer is used for intrusion of another system Botnet

Computer Forensics n Digital Investigation n Has different goals n Prevention of further intrusions. n n Assessment of damage. n n Goal is to reconstruct modus operandi of intruder to prevent further intrusions. Goal is to certify system for safe use. Reconstruction of an incident. n n For criminal proceedings. For organization-internal proceedings.

Computer Forensics n Digital Investigation n Process where we develop and test hypotheses that answer questions about digital events. n We can use an adaptation of the scientific method where we establish hypotheses based on findings and then (if possible) test our hypotheses against findings resulting from additional investigations.

Computer Forensics n Evidence n Procedural notion n n That on what our findings are based. Legal notion n Defined by the “rules of evidence” n n Differ by legislation “Hear-say” is procedurally evidence, but excluded (under many circumstances) as legal evidence.

Computer Forensics n Used in the “forum”, especially for judicial proceedings. n Definition: legal

Computer Forensics n Digital Crime Scene Investigation Process n n n System Preservation Phase Evidence Searching Phase Event Reconstruction Phase n Note: These phases are different activities that intermingle.

Computer Forensics n Who should know about Computer Forensics n Those involved in legal proceedings that might use digital evidence n n Judges, Prosecutors, Attorneys, Law Enforcement, Expert Witnesses Those involved in Systems Administration n Systems Administrators, Network Administrators, Security Officers Those writing procedures Managers

Computer Forensics n Computer Forensics presupposes skills in n Ethics Law, especially rules of evidence System and network administration n Digital data presentation n n Systems n n n OS, especially file systems. Hardware, especially disk drives, memory systems, computer architecture, … Networking n n Number and character representation Network protocols, Intrusion detection, … Information Systems Management

COEN 252 Prerequisites n Required: n n n Good moral character. Ability and willingness to respect ethical boundaries. Familiarity with at least one type of operating system. (Windows, Unix/Linux, DOS experience preferred. ) Some programming. Access to a computer with Hex editor. Desired: n n n Familiarity with OS Theory. Familiarity with Networking. Some Knowledge of U. S. Legal System.