DFEv1_Module_01_Computer_Forensics_Fundamentals[1].pdf

Full Transcript

Module 01 Computer Forensics Fundamentals Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives Creative idea Understanding the Fundamentals of Compu...

Module 01 Computer Forensics Fundamentals Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives Creative idea Understanding the Fundamentals of Computer 1 Forensics 2 Understanding Different Types of Cybercrimes 3 Overview of Indicators of Compromise (IoCs) Overview of Different Types of Digital Evidence and Rules 4 of Evidence Understanding Forensic Readiness Planning and Business 5 Continuity Understanding the Roles and Responsibilities of a Forensic 6 Investigator 7 Understanding the Legal Compliance in Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 ‫فهم جاهزية الطب الشرعي‬ Understand Forensic 4 5 ‫فهم أساسيات الطب‬ 2 Readiness ‫االمتثال القانوني‬ ‫الشرعي الحاسوبي‬ Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Understanding Computer Forensics Computer forensics refer to a set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, such that any discovered evidence is acceptable during a legal and/or administrative proceeding ‫تحديد‬ ‫يشير الطب الشرعي الحاسوبي إلى مجموعة من اإلجراءات والتقنيات املنهجية التي تساعد في‬ ‫األدلة من معدات الحوسبة وجمعها والحفاظ عليها واستخراجها وتفسيرها وتوثيقها وتقديمها من‬ ‫أو اإلدارية‬/‫ بحيث يكون أي دليل مكتشف مقبوال أثناء اإلجراءات القانونية و‬،‫معدات الحوسبة‬ Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Objectives of Computer Forensics ‫تقدير التأثير املحتمل للنشاط الخبيث‬ ‫اجمع األدلة على جرائم األدلة عبر اإلنترنت‬ ‫على الضحية وتقييم نية الجاني‬ ‫بطريقة سليمة من الناحية الجنائية‬ Estimate the potential impact Identify, gather, and Gather evidence of cyber of malicious activity on the preserve the evidence crimes in a forensically victim and assess the intent of a cybercrime sound manner of the perpetrator ‫تقليل الخسائر امللموسة وغير‬ ‫امللموسة للمنظمة‬ Minimize the tangible Protect the organization Support the prosecution of and intangible losses to from similar incidents in the perpetrator of an the organization the future incident ‫دعم مقاضاة مرتكب الحادث‬ Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Need for Computer Forensics ‫لضمان السالمة العامة واستمرار وجود‬ ‫أنظمة تكنولوجيا املعلومات والبنية التحتية‬ ‫لتعقب الجناة من أنحاء‬ ‫للشبكة داخل املنظمات‬ 01 03 ‫مختلفة من العالم بكفاءة‬ To ensure the overall integrity and To efficiently track down continued existence of IT systems perpetrators from different and network infrastructure within parts of the world the organizations 04 ‫تفسير األدلة الوقائعية‬ 02 To protect the organization’s To extract, process, and interpret financial resources and the factual evidence such that it valuable time proves the attacker’s actions in ‫لحماية املوارد املالية للمنظمة والوقت الثمني‬ ‫ تصرفات املهاجم في املحكمة‬court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. When Do You Use Computer Forensics? ‫االستعداد للحوادث من خالل تأمني وتعزيز آلية الدفاع وكذلك إغالق الثغرات في األمن‬ Prepare for incidents by securing and strengthening the defense mechanism as well as closing the loopholes in security ‫تحديد اإلجراءات الالزمة لالستجابة للحوادث‬ Identify the actions needed for incident response ‫إساءة استخدام امللكية الفكرية‬/‫فعل ضد حقوق الطبع والنشر وسرقة‬ Act against copyright and intellectual property theft/misuse ‫تقدير وتقليل الضرر الذي يلحق باملوارد في إعداد الشركة‬ Estimate and minimize the damage to resources in a corporate setup ‫وضع معيار أمني وصياغة معايير أمنية لضمان جاهزية الطب الشرعي‬ Set a security parameter and formulate security norms for ensuring forensic readiness Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Cybercrimes Cybercrime is defined as any illegal act involving a computing device, network, its systems, or its applications Cybercrime can be categorized into two types based on the line of attack Internal/Insider Attack External Attack ‫الهجوم الذي تم تنفيذه على شبكة الشركات‬  It is an attack performed on a corporate  This type of attack occurs when an network or on a single computer by an attacker from outside the organization entrusted person (insider) who has tries to gain unauthorized access to its authorized access to the network computing systems or informational assets ‫يستغل املهاجمون الثغرات األمنية أو يستخدمون‬  Such insiders can be former or current ‫تقنيات الهندسة االجتماعية للتسلل إلى الشبكة‬ employees, business partners, or  These attackers exploit security contractors ‫مقاولني‬ loopholes or use social engineering techniques to infiltrate the network Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Examples of Cybercrimes 1 Espionage 7 Phishing/Spoofing 2 Intellectual Property Theft ُّ ‫تَ َج‬ ‫سس‬ 8 Privilege Escalation Attacks ‫سرقة امللكية الفكرية‬ ‫االنتحال‬/‫التصيد االحتيالي‬ 3 Data Manipulation ‫معالجة البيانات‬ 9 Denial of Service Attack ‫هجمات تصعيد االمتيازات‬ ‫هجوم حصان طروادة‬ ‫هجوم رفض الخدمة‬ 4 Trojan Horse Attack ‫هجوم لغة االستعالم املنظم‬ 10 Cyber Defamation ‫التشهير اإللكتروني‬ ‫هجوم القوة الغاشمة‬ ‫اإلرهاب اإللكتروني‬ 5 Structured Query Language Attack 11 Cyberterrorism ‫َح ْرب اإلنْت َ ْر ِنت‬ 6 Brute-force Attack 12 Cyberwarfare Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Impact of Cybercrimes at the Organizational Loss of confidentiality, integrity and availability of information Level 01 stored in organizational systems 02 Theft of sensitive data ‫التعطيل املفاجئ لألنشطة التجارية‬ 03 Sudden disruption of business activities 04 Loss of customer and stakeholder trust ‫ضرر كبير للسمعة‬ 05 Substantial reputational damage 06 Huge financial losses ‫العقوبات الناشئة عن عدم االمتثال للوائح‬ 07 Penalties arising from the failure to comply with regulations Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Introduction to Digital Evidence ‫تعرف األدلة الرقمية بأنها "أي معلومات ذات قيمة‬ "‫إثباتية يتم تخزينها أو نقلها في شكل رقمي‬ Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form” ‫ مما يجعل من الصعب‬،‫األدلة الرقمية ظرفية وهشة بطبيعتها‬ ‫على محقق الطب الشرعي تتبع األنشطة اإلجرامية‬ Digital evidence is circumstantial and fragile in nature, which makes it difficult for a forensic investigator to trace criminal activities ‫ يدخل مسرح الجريمة‬،‫ "أي شخص أو أي شيء‬،‫وفقا ملبدأ تبادل لوكار‬ "‫ ويترك شيئا من نفسه وراءه عندما يغادر‬،‫يأخذ شيئا من املشهد معه‬ According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave” Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Digital Evidence ‫البيانات املتطايرة‬ ‫البيانات غير املتطايرة‬ ‫❑ البيانات التي يتم فقدها بمجرد إيقاف تشغيل الجهاز؛ تشمل األمثلة وقت‬ ‫❑ البيانات الدائمة املخزنة على أجهزة التخزين الثانوية مثل األقراص الصلبة‬ ،‫ وامللفات املفتوحة‬،‫ واملستخدم )املستخدمني( الذين قاموا بتسجيل الدخول‬،‫النظام‬ ،‫ وملف املبادلة‬،‫ ومساحة الركود‬،‫وبطاقات الذاكرة؛ تشمل األمثلة امللفات املخفية‬ ‫ وذاكرة‬،‫ ورسم الخرائط من العملية إلى املنفذ‬،‫ ومعلومات العملية‬،‫ومعلومات الشبكة‬ ،‫ واألقسام غير املستخدمة‬، ‫ واملجموعات غير املخصصة‬،index.dat ‫وملفات‬ ،‫ وسجل األوامر‬،‫السائق‬/‫ ومعلومات الخدمة‬،‫ ومحتويات الحافظة‬،‫العملية‬ ،‫ وسجالت األحداث‬،‫ وإعدادات التسجيل‬،‫واألقسام املخفية‬ Volatile Data Non-volatile Data  Data that are lost as soon as the  Permanent data stored on device is powered off; examples secondary storage devices such include system time, logged-on as hard disks and memory cards; user(s), open files, network examples include hidden files, information, process information, slack space, swap file, index.dat process-to-port mapping, process files, unallocated clusters, memory, clipboard contents, unused partitions, hidden service/driver information, partitions, registry settings, command history, etc. event logs, etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Roles of Digital Evidence ‫أمثلة على الحاالت التي قد تساعد فيها األدلة الرقمية محقق‬ :‫الطب الشرعي في مقاضاة املشتبه به أو الدفاع عنه‬  Examples of cases where digital evidence may assist the forensic investigator in the prosecution or defense of a suspect: 01 02 03 04 05 ‫تسرب املعلومات‬ Identity theft Malicious attacks on Information Unauthorized Theft of commercial the computer systems leakage transmission of secrets themselves information ‫سرقة األسرار التجارية‬ 06 07 08 09 10 ‫إساءة استخدام النظام‬ Use/abuse of the Production of Unauthorized Abuse of systems Email communication Internet false documents encryption/ password between suspects/ and accounts protection of conspirators documents ‫املتآمرين‬/‫التواصل عبر البريد اإللكتروني بني املشتبه بهم‬ Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence ‫مصادر األدلة املحتملة‬ ‫امللفات التي أنشأها املستخدم‬ ‫امللفات املحمية من قبل املستخدم‬ ‫امللفات التي تم إنشاؤها بواسطة الكمبيوتر‬ Computer-Created User-Created Files User-Protected Files Files ‫دفاتر العناوين‬ ‫امللفات املضغوطة‬ ‫ملفات النسخ االحتياطي‬  Address books  Compressed files  Backup files ‫امللفات املسماة بشكل خاطئ‬ ‫ملفات السجل‬  Database files  Log files  Misnamed files  Media (images, graphics,  Configuration files audio, video, etc.) files  Encrypted files ‫ملفات التخزين املؤقت للطابعة‬  Printer spool files  Documents (text,  Password-protected files  Cookies spreadsheet, presentation, etc.) files  Hidden files  Swap files ‫تبديل امللفات‬  Internet bookmarks,  System files ‫ملفات النظام‬ favorites, etc.  Steganography  History files‫ملفات السجل‬ ‫اإلشارات املرجعية على اإلنترنت واملفضلة‬  Temporary files Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Hard Drive Text, picture, video, multimedia, database, and computer program files Thumb Drive Text, graphics, image, and picture files Memory Card Event logs, chat logs, text files, image files, picture files, and internet browsing history Smart Card Evidence is found by recognizing or authenticating the information of the card and the user, Dongle through the level of access, configurations, permissions, and in the device itself Biometric Scanner Voice recordings such as deleted messages, last called number, memo, phone numbers, Answering Machine and tapes Digital Camera/Surveillance Images, removable cartridges, video, sound, time and date stamp, etc. cameras Random Access Memory Evidence is located and can be acquired from the main memory of the computer (RAM) and Volatile storage Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Address book, appointment calendars or information, documents, email, Handheld Devices handwriting, password, phone book, text messages, and voice messages Local Area Network (LAN) Card/ Network MAC (Media Access Control) address Interface Card (NIC) For routers, evidence is found in the configuration files Routers, Modem, Hubs, and Switches For hubs, switches, and modems evidence is found on the devices themselves Network Cables and On the devices themselves Connectors Server Computer system Evidence is found through usage logs, time and date information, and Printer network identity information, ink cartridges, and time and date stamp Internet of Things and Evidence can be acquired in the form of GPS, audio and video recordings, wearables cloud storage sensors, etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Removable Storage device and media such as tape, CD, DVD, and Blu-ray contain the evidence Storage in the devices themselves Device and Media Scanner Evidence is found by looking at the marks on the glass of the scanner Evidence is found through names, phone numbers, caller identification Telephones information, appointment information, electronic mail and pages, etc. Copiers Documents, user usage logs, time and date stamps, etc. Credit Card Evidence is found through card expiration date, user’s address, credit card Skimmers numbers, user’s name, etc. Evidence is found through address book, notes, appointment calendars, phone Digital Watches numbers, email, etc. Facsimile (Fax) Evidence is found through documents, phone numbers, film cartridge, send or ‫خرطوشة األفالم‬ Machines ‫ أدلة آالت الفاكس‬receive logs Global Positioning Evidence is found through previous destinations, way points, routes, travel logs, Systems (GPS) etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Rules of Evidence ‫يجب أن يخضع جمع األدلة الرقمية لخمس قواعد أساسية تجعله مقبوال في محكمة‬ :‫قانونية‬  Digital evidence collection must be governed by five basic rules that make it admissible in a court of law: ‫َمفْهوم‬ Understandable 1 ‫يجب أن تكون األدلة واضحة ومفهومة للقضاة‬ Evidence must be clear and understandable to the judges ‫مقبول‬ Admissible ‫يجب أن تكون األدلة مرتبطة بالحقيقة التي يتم إثباتها‬ 2 Evidence must be related to the fact being proved ْ َ‫أ‬ ّ‫صلي‬ Authentic 3 ‫يجب أن تكون األدلة حقيقية ومرتبطة بشكل مناسب بالحادث‬ Evidence must be real and appropriately related to the incident ‫َم ْوثوق ِب ِه‬ Reliable ‫يجب أال يكون هناك شك في صحة أو صحة األدلة‬ 4 There must be no doubt about the authenticity or veracity of the evidence ‫ُم ْكت َِمل‬ Complete 5 The evidence must prove the attacker’s actions or his/her innocence ‫يجب أن تثبت األدلة تصرفات املهاجم أو براءته‬ Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Best Evidence Rule It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, the duplicate can be accepted as evidence, provided the court finds the party’s reasons for submitting the duplicate to be ‫ينص على أن املحكمة ال تسمح إال باألدلة األصلية لوثيقة أو صورة أو‬ genuine. ‫ يمكن قبول النسخة املكررة‬،‫ ومع ذلك‬.‫تسجيل في املحاكمة بدال من نسخة‬ ‫ شريطة أن تجد املحكمة أن أسباب الطرف لتقديم النسخة املكررة‬،‫كدليل‬.‫حقيقية‬ ‫املبدأ الذي يقوم عليه قاعدة أفضل دليل هو أن األدلة‬ ‫األصلية تعتبر أفضل دليل‬ The principle underlying the best evidence rule is that the original evidence is considered as the best evidence Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Federal Rules of Evidence (United States) These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined ‫ والقضاء على النفقات والتأخير‬،‫يجب تفسير هذه القواعد على أنها تضمن اإلنصاف في اإلدارة‬ ‫ وتعزيز نمو وتطوير قانون األدلة حتى يمكن التأكد من الحقيقة وتحديد اإلجراءات بشكل عادل‬،‫غير املبرر‬ https://www.rulesofevidence.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. ‫فريق العمل العلمي املعني باألدلة الرقمية‬ Scientific Working Group on Digital Evidence (SWGDE) Principle 1 Standards and Criteria 1.1  In order to ensure that the digital evidence is  All agencies that seize and/or examine digital collected, preserved, examined, or transferred evidence must maintain an appropriate SOP in a manner safeguarding the accuracy and document. All elements of an agency's policies reliability of the evidence, law enforcement and procedures concerning digital evidence and forensic organizations must establish and must be clearly set forth in this SOP document, maintain an effective quality system which must be issued under the agency's ‫التأكد من جمع األدلة الرقمية أو حفظها أو فحصها أو نقلها بطريقة‬ management authority. ‫ يجب على منظمات إنفاذ القانون والطب‬،‫تضمن دقة وموثوقية األدلة‬.‫ مناسبة‬SOP ‫أو تفحص األدلة الرقمية االحتفاظ بوثيقة‬/‫يجب على الوكاالت التي تصادر و‬ ‫الشرعي إنشاء نظام جودة فعال والحفاظ عليه‬ ‫يجب أن تكون جميع عناصر سياسات الوكالة وإجراءاتها املتعلقة باألدلة الرقمية محددة‬ ‫ والتي يجب إصدارها بموجب سلطة‬،‫بوضوح في وثيقة إجراءات اإلجراءات القياسية هذه‬.‫إدارة الوكالة‬ Standards and Criteria 1.2 Standards and Criteria 1.3  Agency management must review the SOPs on an  Procedures used must be generally accepted in annual basis to ensure their continued suitability the field or supported by data gathered and and effectiveness ‫ على أساس‬SOPs ‫يجب على إدارة الوكالة مراجعة‬ recorded in a scientific manner ‫سنوي لضمان استمرار مالءمتها وفعاليتها‬ ‫يجب أن تكون اإلجراءات املستخدمة مقبولة بشكل عام في امليدان أو‬ ‫مدعومة بالبيانات التي تم جمعها وتسجيلها بطريقة علمية‬ https://www.swgde.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Scientific Working Group on Digital Evidence (SWGDE) (Cont’d) Standards and Criteria 1.4 ‫يجب على الوكالة االحتفاظ بنسخ مكتوبة من اإلجراءات الفنية املناسبة‬ 1 The agency must maintain written copies of appropriate technical procedures Standards and Criteria 1.5 ‫يجب على الوكالة استخدام األجهزة والبرامج املناسبة‬ ‫والفعالة إلجراءات الحجز أو الفحص‬ 2 The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure Standards and Criteria 1.6 ‫يجب تسجيل جميع األنشطة املتعلقة بمصادرة األدلة الرقمية أو تخزينها‬ ‫أو فحصها أو نقلها كتابة وأن تكون متاحة للمراجعة والشهادة‬ 3 All activity relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony ‫يجب أن يتم تنفيذ أي إجراء لديه القدرة على تغيير أو إتالف أو تدمير أي جانب من‬ Standards and Criteria 1.7 ‫جوانب األدلة األصلية من قبل أشخاص مؤهلني بطريقة سليمة من الناحية الشرعية‬ 4 Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner https://www.swgde.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. ‫( لألدلة الرقمية‬ACPO) ‫مبادئ جمعية كبار ضباط الشرطة‬ The Association of Chief Police Officers (ACPO) Principles of Digital Evidence ‫ال ينبغي ألي إجراء تتخذه وكاالت إنفاذ القانون أو وكالئها تغيير البيانات املوجودة على‬ ‫جهاز كمبيوتر أو وسائط تخزين والتي يمكن االعتماد عليها الحقا في املحكمة‬ Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court ‫ عندما يجد الشخص أنه من الضروري الوصول إلى البيانات األصلية املوجودة على جهاز كمبيوتر أو على وسائط‬،‫الظروف االستثنائية‬ ‫ في املحكمة‬،‫ يجب أن يكون هذا الشخص مؤهال للقيام بذلك وأن يكون قادرا على شرح أفعاله وتأثير تلك اإلجراءات على األدلة‬،‫التخزين‬ Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court ‫يجب إنشاء مسار تدقيق أو سجل آخر لجميع العمليات املطبقة على األدلة اإللكترونية املستندة إلى الكمبيوتر‬.‫ ينبغي أن يكون طرف ثالث مستقل قادرا على فحص تلك العمليات وتحقيق نفس النتيجة‬.‫والحفاظ عليه‬ Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. (‫يتحمل الشخص املسؤول عن التحقيق )مسؤول القضية‬ ‫املسؤولية العامة عن ضمان االلتزام بالقانون وهذه املبادئ‬ Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to https://www.college.police.uk Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensic Readiness ‫يشير االستعداد للطب الشرعي إلى قدرة املنظمة على استخدام األدلة‬ ‫الرقمية على النحو األمثل في فترة زمنية محدودة وبأقل تكاليف للتحقيق‬ `  Forensic readiness refers to an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs ‫▪ تحقيق سريع وفعال مع الحد األدنى من تعطيل األعمال‬ ‫▪ يوفر األمن من الجرائم السيبرانية مثل سرقة امللكية الفكرية أو االحتيال أو الطب الشرعي لالبتزاز‬ ‫▪ يوفر تخزينا منظما لألدلة مما يقلل من تكلفة ووقت التحقيق‬ ‫▪ يحسن واجهة إنفاذ القانون‬ ‫▪ يساعد املنظمة على استخدام األدلة الرقمية دفاعا عن نفسها‬ Benefits:  Fast and efficient investigation with minimal disruption to the business  Provides security from cybercrimes such as intellectual property theft, fraud, or extortion Forensic  Offers structured storage of evidence that reduces the cost and time of an investigation  Improves law enforcement interface  Helps the organization use the digital evidence in its own defense Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensic Readiness and Business Continuity ‫يساعد االستعداد الشرعي في الحفاظ على استمرارية األعمال من خالل السماح بتحديد املكونات املتأثرة بسرعة وسهولة واستبدالها ملواصلة الخدمات واألعمال‬  Forensic readiness helps maintain business continuity by allowing quick and easy identification of the impacted components and replacing them to continue the services and business Forensic readiness allows businesses to: Lack of forensic readiness may result in: ‫حدد الحوادث بسرعة‬ ‫فقدان العمالء بسبب اإلضرار التي لحقت بسمعة املنظمة‬  Quickly determine the incidents ‫اجمع أدلة سليمة من الناحية القانونية وقم‬  Loss of clients due to damage to the ‫بتحليلها لتحديد املهاجمني‬ organization’s reputation  Collect legally sound evidence and analyze it ‫وقت تعطل النظام‬ to identify attackers  System downtime ‫قلل من املوارد املطلوبة‬ ‫التالعب بالبيانات وحذفها وسرقتها‬  Minimize the required resources ‫التعافي بسرعة من الضرر مع توقف أقل‬  Data manipulation, deletion, and theft  Quickly recover from damage with less downtime ‫اجمع األدلة للمطالبة بالتأمني‬  Inability to collect legally sound evidence  Gather evidence to claim insurance ‫عدم القدرة على جمع أدلة سليمة من الناحية القانونية‬  Legally prosecute the perpetrators and claim damages ‫مقاضاة الجناة بشكل قانوني واملطالبة بالتعويضات‬ Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensics Readiness Planning  Forensic readiness planning refers to a set of processes to be followed to achieve and maintain forensics readiness ‫حدد األدلة املحتملة املطلوبة للحادث‬ ‫حدد ما إذا كان الحادث يتطلب تحقيقا كامال أو رسميا‬ Identify the potential evidence Identify if the incident requires full 1 required for an incident 5 or formal investigation ‫إنشاء عملية لتوثيق اإلجراء‬ ‫تحديد مصادر األدلة‬ Create a process for documenting 2 Determine the sources of evidence 6 the procedure ‫تحديد سياسة تحدد مسار استخراج األدلة اإللكترونية‬ ‫بشكل قانوني مع الحد األدنى من التعطيل‬ ‫إنشاء مجلس استشاري قانوني لتوجيه عملية التحقيق‬ Define a policy that determines the 3 pathway to legally extract electronic 7 Establish a legal advisory board to guide the investigation process evidence with minimal disruption ‫إبقاء فريق االستجابة للحوادث جاهزا ملراجعة الحادث والحفاظ على األدلة‬ Establish a policy to handle and store Keep an incident response team ready 4 the acquired evidence in a secure 8 to review the incident and preserve manner ‫وضع سياسة للتعامل مع األدلة‬ the evidence ‫املكتسبة وتخزينها بطريقة آمنة‬ Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Need for a Forensic Investigator ‫التعامل مع الحوادث‬ ‫التعامل مع االدله الصوتيه‬ ‫واالستجابة لها‬ Cybercrime Sound Evidence Incident Handling Investigation Handling and Response ‫بحكم مهاراتهم وخبرتهم‬ Forensic investigators, by virtue If a technically inexperienced Forensic investigators help of their skills and experience, person examines the evidence, it organizations maintain forensics help organizations and law might become inadmissible in a readiness and implement enforcement agencies ‫وكالة إنفاذ القانون‬ court of law effective incident handling and investigate and prosecute the ‫إذا قام عديم الخبرة الفنيه بفحص االدله‬ response ‫الحفاظ على جاهزية الطب الشرعي وتنفيذ‬ ‫فقد تصبح غير مقبولة في محكمة قانونيه‬ perpetrators of cybercrimes ‫التعامل مع الحوادث واالستجابه لها‬ ‫التحقيق مع مرتكبي الجرائم اإللكترونية ومقاضاتهم‬ Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Roles and Responsibilities of a Forensics Investigator A forensic investigator performs the following tasks: ‫يحدد مدى أي ضرر حدث أثناء الجريمة‬ Determines the extent of any Analyzes the evidence data found damage done during the crime ‫يستعيد البيانات ذات القيمة التحقيقية من‬ ‫أجهزة الحوسبة املتورطة في الجرائم‬ Recovers data of investigative value from computing devices Prepares the analysis report involved in crimes ‫يخلق صورة لألدلة األصلية دون العبث‬ ‫بها للحفاظ على سالمتها‬ Updates the organization about Creates an image of the original various attack methods and data evidence without tampering with recovery techniques, and maintains it to maintain its integrity a record of them ‫يعالج القضية في محكمة قانونية ويحاول الفوز‬ ‫بالقضية من خالل اإلدالء بشهادته في املحكمة‬ ‫يوجه املسؤولني الذين يقومون بالتحقيق‬ Addresses the issue in a court of law Guides the officials carrying out and attempts to win the case by the investigation testifying in court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. ‫ما الذي يجعل محقق الطب الشرعي الحاسوبي جيدا؟‬ What Makes a Good Computer Forensics Investigator? ‫مهارات إجراء املقابالت لجمع معلومات شاملة حول القضية من العميل أو الضحية والشهود واملشتبه بهم‬ Interviewing skills to gather extensive information about the case from the client or victim, witnesses, and suspects ‫مهارات كتابة ممتازة لتفصيل النتائج في التقرير‬ Excellent writing skills to detail findings in the report ‫مهارات تحليلية قوية للعثور على األدلة وربطها باملشتبه به‬ Strong analytical skills to find the evidence and link it to the suspect ‫مهارات تواصل ممتازة لشرح نتائجهم للجمهور‬ Excellent communication skills to explain their findings to the audience ‫ال يزال على اطالع على املنهجيات الجديدة وتكنولوجيا الطب الشرعي‬ Remains updated about new methodologies and forensic technology ‫على دراية جيدة بأكثر من منصة كمبيوتر واحدة‬ Well-versed in more than one computer platform (including Windows, Macintosh, and Linux) ‫معرفة مختلف التقنيات واألجهزة والبرامج‬ Knowledge of various technologies, hardware, and software ‫يطور ويحافظ على االتصال مع محترفي الحوسبة والشبكات والتحقيق‬ Develops and maintains contact with computing, networking, and investigating professionals ‫لديه معرفة بالقوانني ذات الصلة بالقضية‬ Has knowledge of the laws relevant to the case Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator 1 Evidence Computer Forensics Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Computer Forensics and Legal Compliance ‫قانون خصوصية االتصاالت اإللكترونية‬  Legal compliance in computer Electronic Communications 01 Gramm-Leach-Bliley Act (GLBA) 05 Privacy Act forensics ensures that any evidence that is collected and 7 ‫القانون االتحادي لتحديث أمن املعلومات‬ ‫الالئحة العامة لحماية البيانات‬ analyzed is admissible in a court Federal Information Security General Data Protection of law ‫يضمن االمتثال القانوني في الطب الشرعي‬ 02 Modernization Act of 2014 06 Regulation (GDPR) (FISMA) ‫الحاسوبي أن أي دليل يتم جمعه وتحليله‬ ‫قانون قابلية التأمني الصحي واملساءلة‬  Compliance with certain ‫مقبول في محكمة قانونية‬ ‫قانون حماية البيانات‬ Health Insurance Portability regulations and standards plays an important part in computer 03 and Accountability Act of 07 Data Protection Act 2018 1996 (HIPAA) forensic investigation and ‫معيار أمن بيانات صناعة بطاقات الدفع‬ analysis, some of which are as Payment Card Industry Data Sarbanes-Oxley Act (SOX) follows: 04 Security Standard (PCI DSS) 08 of 2002 Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Other Laws Relevant to Computer Forensics United States Foreign Intelligence Surveillance Act https://www.fas.org Protect America Act of 2007 https://www.congress.gov Privacy Act of 1974 https://www.justice.gov National Information Infrastructure Protection Act of 1996 https://www.congress.gov Computer Security Act of 1987 https://www.congress.gov Freedom of Information Act (FOIA) https://www.foia.gov United Kingdom Regulation of Investigatory Powers Act 2000 https://www.legislation.gov.au Cybercrime Act 2001 https://www.legislation.gov.au Australia Information Privacy Act 2014 https://www.findandconnect.gov.au India Information Technology Act http://www.dot.gov.in Section 202a. Data Espionage, Section 303a. Alteration of Data, Section 303b. Computer Germany http://www.cybercrimelaw.net Sabotage Italy Penal Code Article 615 ter http://www.cybercrimelaw.net Canada Canadian Criminal Code Section 342.1 https://laws-lois.justice.gc.ca Singapore Computer Misuse Act https://sso.agc.gov.sg Belgium Computer Hacking http://www.cybercrimelaw.net Brazil Unauthorized modification or alteration of the information system https://www.domstol.no Philippines Data Privacy Act of 2012 https://www.privacy.gov.ph Hong Kong Cap. 486 Personal Data (Privacy) Ordinance https://www.pcpd.org.hk Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Summary This module has discussed the fundamentals of computer 1 forensics It has covered various types of digital evidence and rules of 2 evidence It also discussed in detail on various laws and rules to be 3 considered during digital evidence collection This module also discussed the forensic readiness planning 4 and business continuity It has also discussed the roles and responsibilities of 5 a forensic investigator Finally, this module ended with a detailed discussion on 6 legal compliance in computer forensics In the next module, we will discuss in detail on computer 7 forensics investigation process Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser