computer forensics introduction - jurinnov - eric vanderburg
TRANSCRIPT
Computer Forensics Introduction
Eric A. VanderburgDirector, Cyber Security, Information Systems and
Computer Forensic and Investigation Services
© 2007 Property of JurInnov Ltd. All Rights Reserved
“…most of our [investment] banking clients are going to zero and you know I wanted to downgrade them months ago but got huge pushback from banking.”
— E-mail by ex-Salomon Smith Barney analyst Jack Grubman
Business Week, October 14, 2002
Electronic Evidence — What is the Big Deal?
© 2007 Property of JurInnov Ltd. All Rights Reserved
What is the Big Deal?“We are going to cut off their air supply. Everything they are selling, we are going to give away for free.”
— Microsoft vice president Paul Maritz describing in an e-mail how he planned to crush any competition from Netscape
CNN reporter Dave Wilson, May 3, 2002www.cnn.com/2002/TECH/industry/05/03/microsoft.antitrust.email
© 2007 Property of JurInnov Ltd. All Rights Reserved
What is the Big Deal? “Do we have a clear plan on what we want Apple to do to undermine Sun?”
— from a Bill Gates e-mail to Paul Maritz dated 8/18/77
United States v. Microsoft – Trial Transcript
© 2007 Property of JurInnov Ltd. All Rights Reserved
What is the Big Deal? “Do I have to look forward to spending my waning years writing checks to fat people worried about a silly lung problem?”
— Email message inAmerican Home ProductsFen-Phen litigation
© 2007 Property of JurInnov Ltd. All Rights Reserved
What is Computer Forensics?• Computer Forensics involves the
preservation, identification, extraction, documentation and interpretation of computer data– Kruse and Heiser, 2002
© 2007 Property of JurInnov Ltd. All Rights Reserved
What is Computer Forensics?• Computers provide evidence of every key
stroke made, every Internet page visited, every picture downloaded and every print job sent to a printer
• A deleted file will, in many cases, still exist long after it has been deleted
• A computer forensic examiner assists an attorney by recovering data from computers and analyzing it to provide evidence of relevant personal and business records and information
© 2007 Property of JurInnov Ltd. All Rights Reserved
Why Forensics Technicians?• Data must be gathered using a
defensible process includingappropriate tools and techniques
• Evidence validation/Hashing• Deleted/Unallocated/Slack material:
more valuable than active files?• Analyze potential evidence and
suggest ways to find other relevantfacts and provide insights
• Independent reporting and testimony• Data that is authenticated is generally
more useful evidence
© 2007 Property of JurInnov Ltd. All Rights Reserved
Forensics Investigations Steps• Image media• Index or not• Develop search terms• Analysis• Search data• Provide evidence and reports• Chain of custody considerations
© 2007 Property of JurInnov Ltd. All Rights Reserved
Types of Evidence• Internet pages visited
and how often• Pictures downloaded• Print images• Emails• Files deleted• Links to files that once
existed• Registry• Records of when
operating systemwas installed
• Application Log Files• List of installed
programs• Cell phones• PDA’s• Digital copiers• Pagers
© 2007 Property of JurInnov Ltd. All Rights Reserved
Forensic Tools and Issues• Software tools (Encase, FTK, Paraben,
open source, freeware) • Equipment• Write blockers• Encryption• Password cracking• Recovery of deleted
data• Server considerations
© 2007 Property of JurInnov Ltd. All Rights Reserved
Other Forensic Considerations• Limit keyword searching as much
as practicable• Cost• Keep in mind client budgets and
utilize sampling where appropriate• Consider the type of case and areas
to search• Consider presentation of evidence
© 2007 Property of JurInnov Ltd. All Rights Reserved
Case Studies• Financial fraud• Theft of Intellectual Property• Spoliation• Discrimination• Sexual harassment• Complying with discovery
obligations in litigation• Criminal
© 2007 Property of JurInnov Ltd. All Rights Reserved
• Slack• Deleted Files
• Bit Stream Backup• Mathematical
Hashing• Files• Sectors• Clusters• Swap File
Forensic Exhibits
Hello Alice,Thank you for
your mail!Bob
36 AE 0D 33 16 40 08 5B 47 1D F1 50 86 12 49 CC
Hello Alice,Thank you for
your mail!Bob
BE 47 71 B2 B4 43 C9 DC 34 13 64 84 AF A3 FC 7A
MD5 Hash MD5 Hash
Click a box above once to fade in graphic, click same box again to fade it out.
Questions
© 2007 Property of JurInnov Ltd. All Rights Reserved
For assistance or additional information
• Phone: 216-664-1100• Web: www.jurinnov.com• Email: [email protected]
JurInnov Ltd.The Idea Center
1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115