Scribd
Upload
96 views

Intro To Computer Forensics

Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures, and flexibility is expected and encouraged when encountering the unusual.

Uploaded by

Vishal Vasu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
96 views

Intro To Computer Forensics

Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures, and flexibility is expected and encouraged when encountering the unusual.

Uploaded by

Vishal Vasu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Intro to Computer Forensics

Warren G. Kruse II, CISSP, CFCE


[email protected]
http://www.computer-forensic.com
732-695-0530

Copy on www.computer-forensic.com/presentations/)

Copyright Computer Forensic Services, LLC


Topics
• Intro to Computer Forensics
• What may be available

Copyright Computer Forensic Services, LLC


What Is Computer Forensics?

“Computer forensics involves the preservation, identification,


extraction, documentation and interpretation of computer
data. It is often more of an art than a science, but as in any
discipline, computer forensic specialists follow clear,
well-defined methodologies and procedures, and flexibility is
expected and encouraged when encountering the unusual.”
From: “Computer Forensics: Incident Response
Essentials”
• Finding key pieces of evidence - even if someone
has tried to hide, discard, or destroy them.

Copyright Computer Forensic Services, LLC


Software Recommendations
– Guidancesoftware’s Encase: www.encase.com
– Acessdata’s Forensic Toolkit:
www.accessdata.com
– AccessData Password Recovery Toolkit
– AccessData’s Distributed Network Attack
– Prodiscover (DFT or IR), www.techpathways.com
– Safeback, www.forensics-intl.com
– Quick View Plus, http://www.jasc.com/
– Thumbs Plus (Shareware), www.cerious.com
– Irfanview (freeware for non commercial use)
• www.irfanview.com
Copyright Computer Forensic Services, LLC
What Computer Forensics is used for:
• High Tech Investigations
• Incident Response
• E-mail recovery and analysis
• Document & File Discovery
– Locating and recovering previously inaccessible files.
• Data Collection
– Collecting data while preserving vital date and time stamps,
temporary files and other volatile information.

Copyright Computer Forensic Services, LLC


What Computer Forensics is used for:
• Preservation of Evidence
– Adherence to carefully developed set of procedures that
address security, authenticity, and chain-of-custody.
• Analysis of User Activity
– Reporting of all user activity on computer and company
network including, but not limited to,e-mail, Internet and
Intranet files accessed, files created and deleted, and user
access times.
• Password Recovery
– Accessing and recovering data from password protected
files.

Copyright Computer Forensic Services, LLC


Investigative Methods
• Common sense
• Physical surveillance
• Victim\witness interview
• Undercover approach
• Electronic surveillance
(network monitoring-
sniffers, NIDs, etc.)
• Informants
• Sting operation
• IMAGE!
Does this sound any different then other types of investigations?

Copyright Computer Forensic Services, LLC


Keys to Success
• Documentation of all action
• Preservation of evidence
• Swift action to collect electronic audit trails
• Resources
• Time – hard drives are getting HUGE!

Copyright Computer Forensic Services, LLC


Tools of our trade

Copyright Computer Forensic Services, LLC


Terminology
• Image: exact copy of a hard drive
including deleted files and areas of the
hard drive that a normal backup would
not copy
• Slack, Swap and Unallocated space

Copyright Computer Forensic Services, LLC


Show Me Something!
• Password Protected files
• Deleted Files Demo's

Copyright Computer Forensic Services, LLC


Password Protection

Copyright Computer Forensic Services, LLC


Show Me Something Else!
• Once Upon a Time There Was a File
Named PatentSubmission.Doc

Copyright Computer Forensic Services, LLC


A File Is Born

Copyright Computer Forensic Services, LLC


The File Dies…or Does It?

Copyright Computer Forensic Services, LLC


Encase Doesn’t Think So

Copyright Computer Forensic Services, LLC


How About Now?

Copyright Computer Forensic Services, LLC


Let’s See Shall We?

Copyright Computer Forensic Services, LLC


It’s ALLLLLLLIVE!

5 HITS

Copyright Computer Forensic Services, LLC


How About Now?

Copyright Computer Forensic Services, LLC


Let’s See

Copyright Computer Forensic Services, LLC


It’s STILL ALLLLLLLIVE!

5 HITS

Copyright Computer Forensic Services, LLC


The Resurrection
(“Deleted” File Before and After Format and Defrag)

Copyright Computer Forensic Services, LLC


Trace Information May Exist From:
• Email
• PDA/Blackberry
• Temp Files
• Recycle Bin
• Info File Fragments
• Recent Link Files
• Spool (printed) files
• Internet History (index.dat)
• Registry
• Unallocated Space
• File Slack
Copyright Computer Forensic Services, LLC
The File Lives On…
• This was made possible only through
the forensic practice of treating the
entire physical disk as evidence (rather
than just files) and handling it as
evidence.
• Demos anyone?

Copyright Computer Forensic Services, LLC


Where to go from here
• www.virtuallibrarian.com/legal/
• www.htcia.org
• Shameless Plug Warning:

– Computer Forensics:
Incident Response Essentials
– Paperback: 416 pages
– Publisher: Addison-Wesley Pub Co
– ISBN: 0201707195
Copyright Computer Forensic Services, LLC
Computer Forensic Services, LLC
Copy on www.computer-forensic.com/presentations/)

Warren Kruse
20-22 Industrial Way
Eatontown, New Jersey
Toll Free: (732) 695-0530
Email: [email protected]

Copyright Computer Forensic Services, LLC

You might also like