fs ch 19

Chapter 19

Forensic Science and the Internet

Forensic ScienceRichard Saferstein

© 2009 Pearson Education, Upper Saddle River, NJ 07458.

All Rights Reserved.2

Introduction

No subject or profession remains untouched by the Internet:

-forensic science

-one common electronic forensic community




A Network of Networks Internet: “network of networks.”

A single network consists of two or more computers that are connected to share information.

The Internet connects thousands of these networks so all of the information can be exchanged worldwide.

Modem: telephone lines Cable lines/DSL




A Network of Networks

Computers that participate in the Internet have a unique numerical Internet Provider (IP) address and usually a name.




The World Wide Web World Wide Web:-collection of pages stored in the computers

connected to the Internet throughout the world. -Web browsers: -explore information the Web -retrieve Web pages

Search engines:-directories/indexes -assist user in locating topics




Electronic Mail (e-Mail)

Most commonly used in conjunction with the Internet

-transport messages across the world

Web pages:-simple explanations of forensics -intricate details of forensic science

specialties




Internet Cache Cache system:

-expedite web browsing

-source of evidence

-Portions/entire web pages can be reconstructed

-deleted cached files can be recovered




Internet Cookies Cookies:-placed on the local hard disk drive by the

web site the user has visited. -used by the web site to track certain

information about its visitors -history of visits-purchasing habits-passwords -personal information




Internet History Most web browsers track the history of web

page visits for the computer user

-accounting of sites most recently visited

-weeks worth of visits

-history file located/read with computer forensic software packages




Bookmarks and Favorite Places

Bookmarks/favorite places -bookmark websites for future visits

Info from Bookmarks:-online news-hobbies-favorite child pornography-computer hacking sites




Internet Communications Computer investigations often begin or

are centered around Internet communication.

Chat

instant message (IM)

e-mail exchange




Value of the IP address IP address:

-provided by the Internet Service provider

-lead to the identity of a real person




IP Address Locations E-Mail:-IP address in the header portion

configuration to reveal. case by case basis.

IM/Chat:-Internet Service Provider (ISP):-AOL-Yahoo




Difficulty with IP Addresses Finding IP addresses may be difficult.

E-mail can be read through a number of clients or software programs.

Most accounts offer the ability to access e-mail through a web-based interface as well.

Often the majority of chat and instant message conversations are not saved by the parties involved.




Hacking Unauthorized computer intrusion:

corporate espionage bragging rights Rogue/disgruntled employee




Locations of Concentration Investigative sources:

log files volatile memory network traffic




Logs Logs:

-document the IP address of the computer that made the connection

-located in several locations on computer network

-router (the device responsible for directing data)-firewalls




Computer Intrusion Investigation Cover tracks of IP address

-capture volatile data (data in RAM).

-clues into the identity of the intruder/method of attack.

-IM/chat data in RAM needs to be acquired




Intrusion Investigation Document all programs installed/running

-malicious software installed by the perpetrator to facilitate entry

-specialized software designed to document running processes/registry entries/installed files.




Live Network Traffic Traffic that travels the network:

-data packets

-contain source and destination IP addresses

-two-way communication (stealing data)- transmitted back to hacker’s computer




The Destination IP Address Destination IP:-investigation can focus on that system Type of data-type of attack being launched-data being stolen-types of malicious software

fs ch 19

Technology

ip address ip address

internet history

network of networks

web browsers

web site

world web pages

ip address locations

world wide web world