COEN 252 Computer Forensics Process for Hard Drive
- Slides: 33
COEN 252 Computer Forensics Process for Hard Drive Examination
Best Evidence n n n Best evidence is original evidence. FRE: multiple copies of electronic files are considered “original”. Evidence need to be protected against n n n Normal accidents. Accidents in the analysis process. Tampering.
Best Evidence n n n Computer data are “writings” and “records”. Need to be authenticated. Whoever collected them should testify during direct examination that the information is what the proponents claim.
Best Evidence n n n If not authenticated, documents and writings are usually inadmissible. Hence, careful record keeping needed. In addition to careful handling of evidence.
Best Evidence n n n Chain of Custody Protects evidence against advertent or inadvertent tampering. Evidence needs to be traced from the moment it was collected to the moment it was presented in judicial proceedings.
Best Evidence n n Hard drive yields a byte stream. Protect with cryptographically secure checksum A. k. a. hash A. k. a. signature
Best Evidence Cryptographically secure checksum n Small byte string calculated from byte stream X as f (X). n Given c, “computationally impossible” to find a byte stream X with f (X) = c. n I. e. nothing better than brute force, which takes too long. n Change even a bit in X and f (X) changes.
Best Evidence n n n Collect c =f (X) from original byte stream. Maintain c securely, e. g. with evidence log. Prove that X has not changed by recalculating c = f (X ).
Best Evidence Cryptographically secure checksums n MD 5 (a classic, 16 B checksum) n SHA 1 (a classic 20 B checksum) n SHA 256 etc. (much longer checksum) What is computationally possible, changes with progress.
Best Evidence Chain of custody for physical objects n Inventoried and labeled by evidence custodians. n Booked into evidence locker. n Access documents by evidence technician.
Evidence Collection from Computer Media n n n Identify computer media. Detailed report of situation. Evidence custodian inventories best evidence and logs it in the Evidence log. Perform a forensic duplication of the original media to storage media. If the original can be kept, use it as the best evidence. If not, duplicate the data immediately, and use the media as the best evidence. Label the best evidence and store it in evidence locker. Make a duplicate of the best evidence and use it forensic analysis. Make more working copies as necessary, e. g. in order to mount the file system for quasi-life investigations. Make backup of best evidence.
Evidence Handling Procedures n n Before examining the contents of a hard drive, record information about the computer system. Take digital photographs of the system and the media that is being duplicated. Fill out an evidence tag for the original media and / or for the forensic duplicate. Label all media appropriately with an evidence label.
Evidence Handling Procedures n n n Store the best evidence copy in the evidence locker. An evidence custodian enters a record of the best evidence into the evidence log. Each access to the best evidence is also entered into the log. All examinations on the forensics copy are performed on a forensic copy, the working copy.
Evidence Handling Procedures n n n An evidence custodian ensures that backup copies of the best evidence are created. An evidence custodian ensures that all disposition dates are met. The dates are assigned by the principal investigator. An evidence custodian performs a monthly audit to ensure all of the best evidence is present, properly stored, and labeled.
Evidence Handling Procedures Evidence System Description Describe n Location n Individuals n n Who occupy the room or office where the original evidence was found. Have access to it. Who can actually use it. Who are present.
Evidence Handling Procedures Evidence System Description n n Location of system in room. State of the system n n n Powered on/off. Data on screen. Time/date of system BIOS Network connections. Serial numbers, make etc. of hard drives and peripherals. Peripherals attached to the system
Evidence Handling Procedures Digital Photos n Used n n n For protection against unwarranted claims. To ensure returning the system to the exact state prior to forensic duplication. To capture current configuration. For investigative hints. Label photos clearly, make log entries for pictures taken.
Evidence Handling Procedures Evidence Tags n n Needs to satisfy federal and state guidelines. Contains info on n n n Place, Person from whom item was received. If item requires consent to search. Description of item. If the item is a storage device, what is contained in it. Date / time when taken. Full name and signature of individual initially receiving the evidence. Case and tag number related to the evidence.
Evidence Handling Procedures Evidence Labels n Label physical items, i. e. suspect hard drive n n n With case number and evidence tag number. Date and time evidence was collected. A brief description of the items contained within the envelope.
Evidence Handling Procedures Evidence Pouch
Evidence Handling Procedures
Evidence Handling Procedures
Evidence Handling Procedures
Evidence Handling Procedures Evidence Storage n n Investigator needs to maintain positive control of the evidence at all times. Evidence protection includes protection against the environment such as electromagnetic fields.
Evidence Handling Procedures Evidence Log n Every time evidence is accessed, log n n n Evidence tag number Date Action taken Consultant performing the action Identify information on the action Audits
Evidence Handling Procedures Evidence Disposition n Initial disposition: Analysis and case finished. n n n Working copies are no longer needed. Only backup might be needed. Final disposition: Backups are no longer needed.
Evidence Handling Procedures Audits n n Labs should get certified for their procedures. Internal audit to n n n Ensure compliance with internal standards by reviewing evidence locker access log forms. Perform an inventory. Check disposition requirements. Perform checks for needed backups. Review case folders.
Data Analysis n n n Develop goal of investigation and stick to it. Analyst should make and state findings. An analyst that offers opinions, is an expert witness.
Data Analysis n n n More art than science. Feed-back with investigator. Needs accurate documentation. Analyst needs to be able to testify months after analysis. Findings need to be repeatable.
Report n Report all steps in the investigation. Immediately n Clearly n
Testify
Report n n Accurately describe details of an incident. Be understandable to decision makers. Be able to withstand a barrage of legal scrutiny. Be unambiguous and not open to misunderstanding.
Report n n Be easily referenced (Bates numbers) Contain all information required to draw conclusions.
- Google drive
- Https://slidetodoc.com
- Google drive
- Hard times hard drive
- Features of hard disk drive
- Coen311
- Anjali agarwal concordia
- Coen 445
- Coen 352
- Coen 6501
- Coen 445
- Coen 445
- Google drive forensics
- Differentiate between belt drive and chain drive
- Https drive google com file d 1zphjwy1qqf1g
- Https://drive.google.com/drive/
- Difference between belt drive and chain drive
- Comait
- Windows 95 max hard drive size
- Moving coil actuator
- Restored image in digital forensics
- Examples of magnetic storage devices
- Tvs
- Nkb032 hard disk drive
- Hard drive evolution
- I twin limitless pendrive technology
- Gravimetric analysis of calcium and hard water lab answers
- Work hard, have fun, make history
- Computer forensics report template
- Guide to computer forensics and investigations 6th edition
- Digital forensics denver
- Computer forensics workstation
- Digital forensic lab floor plan
- Objectives of computer forensics