Computer Forensics Fundamentals PDF
Document Details
Uploaded by PrestigiousGreenTourmaline3416
Tags
Related
- Chapter 20 - 01 - Understand the Fundamentals of Computer Forensics - 01_ocred_fax_ocred.pdf
- Chapter 20 - 02 - Understand Digital Evidence - 02_ocred_fax_ocred.pdf
- Chapter 20 - 02 - Understand Digital Evidence - 03_ocred_fax_ocred.pdf
- Chapter 20 - 05 - Discuss Various Forensic Investigation Phases - 01_ocred_fax_ocred.pdf
- Chapter 20 - 06 - Digital Evidence Sources to Support Forensic Investigation - 01_ocred_fax_ocred.pdf
- Chapter 20 - 06 - Digital Evidence Sources to Support Forensic Investigation - 03_ocred_fax_ocred.pdf
Summary
This document provides an introduction to computer forensics, outlining core concepts, modules, and the importance of various laws. It covers topics like the fundamentals, types of cybercrimes, digital evidence, forensic readiness, and roles of investigators.
Full Transcript
Module 01 Computer Forensics Fundamentals Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives Creative idea Understanding the Fundamentals of Compu...
Module 01 Computer Forensics Fundamentals Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives Creative idea Understanding the Fundamentals of Computer 1 Forensics 2 Understanding Different Types of Cybercrimes 3 Overview of Indicators of Compromise (IoCs) Overview of Different Types of Digital Evidence and Rules 4 of Evidence Understanding Forensic Readiness Planning and Business 5 Continuity Understanding the Roles and Responsibilities of a Forensic 6 Investigator 7 Understanding the Legal Compliance in Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Understanding Computer Forensics Computer forensics refer to a set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, such that any discovered evidence is acceptable during a legal and/or administrative proceeding Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Objectives of Computer Forensics Estimate the potential impact Identify, gather, and Gather evidence of cyber of malicious activity on the preserve the evidence crimes in a forensically victim and assess the intent of a cybercrime sound manner of the perpetrator Minimize the tangible Protect the organization Support the prosecution of and intangible losses to from similar incidents in the perpetrator of an the organization the future incident Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Need for Computer Forensics 01 03 To ensure the overall integrity and To efficiently track down continued existence of IT systems perpetrators from different and network infrastructure within parts of the world the organizations 04 02 To protect the organization’s To extract, process, and interpret financial resources and the factual evidence such that it valuable time proves the attacker’s actions in court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. When Do You Use Computer Forensics? Prepare for incidents by securing and strengthening the defense mechanism as well as closing the loopholes in security Identify the actions needed for incident response Act against copyright and intellectual property theft/misuse Estimate and minimize the damage to resources in a corporate setup Set a security parameter and formulate security norms for ensuring forensic readiness Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Cybercrimes Cybercrime is defined as any illegal act involving a computing device, network, its systems, or its applications Cybercrime can be categorized into two types based on the line of attack Internal/Insider Attack External Attack ❑ It is an attack performed on a corporate ❑ This type of attack occurs when an network or on a single computer by an attacker from outside the organization entrusted person (insider) who has tries to gain unauthorized access to its authorized access to the network computing systems or informational assets ❑ Such insiders can be former or current employees, business partners, or ❑ These attackers exploit security contractors loopholes or use social engineering techniques to infiltrate the network Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Examples of Cybercrimes 1 Espionage 7 Phishing/Spoofing 2 Intellectual Property Theft 8 Privilege Escalation Attacks 3 Data Manipulation 9 Denial of Service Attack 4 Trojan Horse Attack 10 Cyber Defamation 5 Structured Query Language Attack 11 Cyberterrorism 6 Brute-force Attack 12 Cyberwarfare Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Impact of Cybercrimes at the Organizational Loss of confidentiality, integrity and availability of information Level 01 stored in organizational systems 02 Theft of sensitive data 03 Sudden disruption of business activities 04 Loss of customer and stakeholder trust 05 Substantial reputational damage 06 Huge financial losses 07 Penalties arising from the failure to comply with regulations Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Introduction to Digital Evidence Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form” Digital evidence is circumstantial and fragile in nature, which makes it difficult for a forensic investigator to trace criminal activities According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave” Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Digital Evidence Volatile Data Non-volatile Data ❑ Data that are lost as soon as the ❑ Permanent data stored on device is powered off; examples secondary storage devices such include system time, logged-on as hard disks and memory cards; user(s), open files, network examples include hidden files, information, process information, slack space, swap file, index.dat process-to-port mapping, process files, unallocated clusters, memory, clipboard contents, unused partitions, hidden service/driver information, partitions, registry settings, command history, etc. event logs, etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Roles of Digital Evidence ❑ Examples of cases where digital evidence may assist the forensic investigator in the prosecution or defense of a suspect: 01 02 03 04 05 Identity theft Malicious attacks on Information Unauthorized Theft of commercial the computer systems leakage transmission of secrets themselves information 06 07 08 09 10 Use/abuse of the Production of Unauthorized Abuse of systems Email communication Internet false documents encryption/ password between suspects/ and accounts protection of conspirators documents Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence Computer-Created User-Created Files User-Protected Files Files ▪ Address books ▪ Compressed files ▪ Backup files ▪ Database files ▪ Log files ▪ Misnamed files ▪ Media (images, graphics, ▪ Configuration files audio, video, etc.) files ▪ Encrypted files ▪ Printer spool files ▪ Documents (text, ▪ Password-protected files ▪ Cookies spreadsheet, presentation, etc.) files ▪ Hidden files ▪ Swap files ▪ Internet bookmarks, ▪ System files favorites, etc. ▪ Steganography ▪ History files ▪ Temporary files Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Hard Drive Text, picture, video, multimedia, database, and computer program files Thumb Drive Text, graphics, image, and picture files Memory Card Event logs, chat logs, text files, image files, picture files, and internet browsing history Smart Card Evidence is found by recognizing or authenticating the information of the card and the user, Dongle through the level of access, configurations, permissions, and in the device itself Biometric Scanner Voice recordings such as deleted messages, last called number, memo, phone numbers, Answering Machine and tapes Digital Camera/Surveillance Images, removable cartridges, video, sound, time and date stamp, etc. cameras Random Access Memory Evidence is located and can be acquired from the main memory of the computer (RAM) and Volatile storage Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Address book, appointment calendars or information, documents, email, Handheld Devices handwriting, password, phone book, text messages, and voice messages Local Area Network (LAN) Card/ Network MAC (Media Access Control) address Interface Card (NIC) For routers, evidence is found in the configuration files Routers, Modem, Hubs, and Switches For hubs, switches, and modems evidence is found on the devices themselves Network Cables and On the devices themselves Connectors Server Computer system Evidence is found through usage logs, time and date information, and Printer network identity information, ink cartridges, and time and date stamp Internet of Things and Evidence can be acquired in the form of GPS, audio and video recordings, wearables cloud storage sensors, etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Removable Storage device and media such as tape, CD, DVD, and Blu-ray contain the evidence Storage in the devices themselves Device and Media Scanner Evidence is found by looking at the marks on the glass of the scanner Evidence is found through names, phone numbers, caller identification Telephones information, appointment information, electronic mail and pages, etc. Copiers Documents, user usage logs, time and date stamps, etc. Credit Card Evidence is found through card expiration date, user’s address, credit card Skimmers numbers, user’s name, etc. Evidence is found through address book, notes, appointment calendars, phone Digital Watches numbers, email, etc. Facsimile (Fax) Evidence is found through documents, phone numbers, film cartridge, send or Machines receive logs Global Positioning Evidence is found through previous destinations, way points, routes, travel logs, Systems (GPS) etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Rules of Evidence ❑ Digital evidence collection must be governed by five basic rules that make it admissible in a court of law: Understandable 1 Evidence must be clear and understandable to the judges Admissible 2 Evidence must be related to the fact being proved Authentic 3 Evidence must be real and appropriately related to the incident Reliable 4 There must be no doubt about the authenticity or veracity of the evidence Complete 5 The evidence must prove the attacker’s actions or his/her innocence Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Best Evidence Rule It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, the duplicate can be accepted as evidence, provided the court finds the party’s reasons for submitting the duplicate to be genuine. The principle underlying the best evidence rule is that the original evidence is considered as the best evidence Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Federal Rules of Evidence (United States) These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined https://www.rulesofevidence.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Scientific Working Group on Digital Evidence (SWGDE) Principle 1 Standards and Criteria 1.1 ▪ In order to ensure that the digital evidence is ▪ All agencies that seize and/or examine digital collected, preserved, examined, or transferred evidence must maintain an appropriate SOP in a manner safeguarding the accuracy and document. All elements of an agency's policies reliability of the evidence, law enforcement and procedures concerning digital evidence and forensic organizations must establish and must be clearly set forth in this SOP document, maintain an effective quality system which must be issued under the agency's management authority. Standards and Criteria 1.2 Standards and Criteria 1.3 ▪ Agency management must review the SOPs on an ▪ Procedures used must be generally accepted in annual basis to ensure their continued suitability the field or supported by data gathered and and effectiveness recorded in a scientific manner https://www.swgde.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Scientific Working Group on Digital Evidence (SWGDE) (Cont’d) Standards and Criteria 1.4 1 The agency must maintain written copies of appropriate technical procedures Standards and Criteria 1.5 2 The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure Standards and Criteria 1.6 3 All activity relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony Standards and Criteria 1.7 4 Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner https://www.swgde.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. The Association of Chief Police Officers (ACPO) Principles of Digital Evidence Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to https://www.college.police.uk Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensic Readiness ` ❑ Forensic readiness refers to an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs Benefits: ▪ Fast and efficient investigation with minimal disruption to the business ▪ Provides security from cybercrimes such as intellectual property theft, fraud, or extortion Forensic ▪ Offers structured storage of evidence that reduces the cost and time of an investigation ▪ Improves law enforcement interface ▪ Helps the organization use the digital evidence in its own defense Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensic Readiness and Business Continuity ❑ Forensic readiness helps maintain business continuity by allowing quick and easy identification of the impacted components and replacing them to continue the services and business Forensic readiness allows businesses to: Lack of forensic readiness may result in: ❑ Quickly determine the incidents ❑ Loss of clients due to damage to the organization’s reputation ❑ Collect legally sound evidence and analyze it to identify attackers ❑ System downtime ❑ Minimize the required resources ❑ Data manipulation, deletion, and theft ❑ Quickly recover from damage with less downtime ❑ Inability to collect legally sound evidence ❑ Gather evidence to claim insurance ❑ Legally prosecute the perpetrators and claim damages Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensics Readiness Planning ❑ Forensic readiness planning refers to a set of processes to be followed to achieve and maintain forensics readiness Identify the potential evidence Identify if the incident requires full 1 required for an incident 5 or formal investigation Create a process for documenting 2 Determine the sources of evidence 6 the procedure Define a policy that determines the 3 pathway to legally extract electronic 7 Establish a legal advisory board to guide the investigation process evidence with minimal disruption Establish a policy to handle and store Keep an incident response team ready 4 the acquired evidence in a secure 8 to review the incident and preserve manner the evidence Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Need for a Forensic Investigator Cybercrime Sound Evidence Incident Handling Investigation Handling and Response Forensic investigators, by virtue If a technically inexperienced Forensic investigators help of their skills and experience, person examines the evidence, it organizations maintain forensics help organizations and law might become inadmissible in a readiness and implement enforcement agencies court of law effective incident handling and investigate and prosecute the response perpetrators of cybercrimes Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Roles and Responsibilities of a Forensics Investigator A forensic investigator performs the following tasks: Determines the extent of any Analyzes the evidence data found damage done during the crime Recovers data of investigative value from computing devices Prepares the analysis report involved in crimes Updates the organization about Creates an image of the original various attack methods and data evidence without tampering with recovery techniques, and maintains it to maintain its integrity a record of them Addresses the issue in a court of law Guides the officials carrying out and attempts to win the case by the investigation testifying in court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. What Makes a Good Computer Forensics Investigator? Interviewing skills to gather extensive information about the case from the client or victim, witnesses, and suspects Excellent writing skills to detail findings in the report Strong analytical skills to find the evidence and link it to the suspect Excellent communication skills to explain their findings to the audience Remains updated about new methodologies and forensic technology Well-versed in more than one computer platform (including Windows, Macintosh, and Linux) Knowledge of various technologies, hardware, and software Develops and maintains contact with computing, networking, and investigating professionals Has knowledge of the laws relevant to the case Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Computer Forensics and Legal Compliance ❑ Legal compliance in computer Electronic Communications 01 Gramm-Leach-Bliley Act (GLBA) 05 Privacy Act forensics ensures that any evidence that is collected and analyzed is admissible in a court Federal Information Security General Data Protection of law 02 Modernization Act of 2014 06 Regulation (GDPR) (FISMA) ❑ Compliance with certain Health Insurance Portability regulations and standards plays an important part in computer 03 and Accountability Act of 07 Data Protection Act 2018 1996 (HIPAA) forensic investigation and analysis, some of which are as Payment Card Industry Data Sarbanes-Oxley Act (SOX) follows: 04 Security Standard (PCI DSS) 08 of 2002 Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Other Laws Relevant to Computer Forensics United States Foreign Intelligence Surveillance Act https://www.fas.org Protect America Act of 2007 https://www.congress.gov Privacy Act of 1974 https://www.justice.gov National Information Infrastructure Protection Act of 1996 https://www.congress.gov Computer Security Act of 1987 https://www.congress.gov Freedom of Information Act (FOIA) https://www.foia.gov United Kingdom Regulation of Investigatory Powers Act 2000 https://www.legislation.gov.au Cybercrime Act 2001 https://www.legislation.gov.au Australia Information Privacy Act 2014 https://www.findandconnect.gov.au India Information Technology Act http://www.dot.gov.in Section 202a. Data Espionage, Section 303a. Alteration of Data, Section 303b. Computer Germany http://www.cybercrimelaw.net Sabotage Italy Penal Code Article 615 ter http://www.cybercrimelaw.net Canada Canadian Criminal Code Section 342.1 https://laws-lois.justice.gc.ca Singapore Computer Misuse Act https://sso.agc.gov.sg Belgium Computer Hacking http://www.cybercrimelaw.net Brazil Unauthorized modification or alteration of the information system https://www.domstol.no Philippines Data Privacy Act of 2012 https://www.privacy.gov.ph Hong Kong Cap. 486 Personal Data (Privacy) Ordinance https://www.pcpd.org.hk Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Summary This module has discussed the fundamentals of computer 1 forensics It has covered various types of digital evidence and rules of 2 evidence It also discussed in detail on various laws and rules to be 3 considered during digital evidence collection This module also discussed the forensic readiness planning 4 and business continuity It has also discussed the roles and responsibilities of 5 a forensic investigator Finally, this module ended with a detailed discussion on 6 legal compliance in computer forensics In the next module, we will discuss in detail on computer 7 forensics investigation process Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
