An Introduction to Computer Forensics

Jim LindseyWestern Kentucky University

What are we talking about?

Forensic …

What are we talking about?

Forensic Science is the use of science to investigate and establish facts in criminal and civil cases.

Fat-Free Muffins Breakeven Analysis

$0.00

$10,000.00

$20,000.00

$30,000.00

$40,000.00

$50,000.00

$60,000.00

0 5,054 10,108 15,161 20,215

Units

Do

llar

s Fixed Cost

Total Cost

Revenue

What are we talking about?

Computer Forensics is the discovery, collection, and analysis of evidence found on computers and networks.

Many Hats

Law

Investigative

Skills

Technology

Computer

Forensics

An Exam May Explain …

Hidden data Most recently used applications Origin of documents Evidence of “wiping” Visited Internet sites

An Exam May Require …

Cloning Write Blocker MD-5 & SHA-1

Cataloging Recovery of Deleted Files Search for hidden, disguised

or encrypted files Viewing files Analysis of time/date stamps

Deleted Files

Deleted Files

An Examiner Should …

Possess requisite training and equipment

Be able to provide training Be knowledgeable of data relevant

to computer-related crimes Be able to effectively testify as an

expert in a court of law

What to do?

If the computer is off, do not turn on.

If the computer is on, do not shut down normally – call for instructions.

Do not “browse” the files!

What to do?

Document, document, document - W H Y ?

Records chain of custody: Where the evidence came from When it was obtained Who obtained it Who secured it Who has had control of it Where it is stored

Final Notes

Forensic Examinations Normally 1-2 hours to forensically

image a hard drive Exams can take 4-40 hours,

depending on requests Helpful if “keywords” provided Know what you want to search for…..

Final Notes Average HD Volume 590 GB* Gigabyte 1,073,741,824 bytes Subtotal 633,507,676,160 bytes Page size 3000 bytes Pages 211,169,225 Ream 500 pages Reams 422,338 Reams Ream height 2” Total height 844,676” Height in feet 70,389 feet Height of Mt Everest 29,029 feet**

Note these figures are conservative!

* http://www.tomshardware.com/news/seagate-hdd-gigabyte-terabyte-quarter-result,13118.html** http://www.teameverest03.org/everest_info/index.html

Explain what the 'Chain of Custody' is in computer forensics. Furthermore, explain why it is important for forensic examiners to establish 'Chain of Custody' as soon as they arrive on a scene and maintain it throughout the life of a case.

We spent a day discussing computer forensics. How could knowledge of this topic help a human resources manager do their job? How could knowledge of this topic help a police officer do their job?

Are there any questions?