Upload
prasad-rane
View
220
Download
0
Embed Size (px)
Citation preview
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 1/21
Ethics, Privacy andEthics, Privacy and
Computer ForensicsComputer Forensics
Chap 8 Computer Basics ForChap 8 Computer Basics For
Digital InvestigatorsDigital Investigators
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 2/21
The BasicsThe Basics
Central Processing Unit (CPU)Central Processing Unit (CPU) Processing instruction for every computerProcessing instruction for every computer
Basic Input and Output System (BIOS)Basic Input and Output System (BIOS) Handles basic movement of data in a computerHandles basic movement of data in a computer
Programs use it to communicate with CPUPrograms use it to communicate with CPU
Power on Self Test (POST)Power on Self Test (POST) A small program that tests basic components of a computer A small program that tests basic components of a computer
Verifies integrity of CPU and Program itself Verifies integrity of CPU and Program itself
Then it checks all others: drives, monitor, RAM and keyboardThen it checks all others: drives, monitor, RAM and keyboard
Before POST is complete and after BIOS is activated, someBefore POST is complete and after BIOS is activated, somecomputers allow you to edit the configuration usingcomputers allow you to edit the configuration usingComplementary Metal Oxide Silicon (CMOS)Complementary Metal Oxide Silicon (CMOS)
Result of POST are checked against CMOS settingsResult of POST are checked against CMOS settings
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 3/21
Disk Boot Disk Boot
An operating system extends the function An operating system extends the functionof the BIOS and interfaces with theof the BIOS and interfaces with the
outside worldoutside world Boot sequence looks for location of OSBoot sequence looks for location of OS
and loadsand loads
The ability to boot up from a disk isThe ability to boot up from a disk isimportant when the hard disk may containimportant when the hard disk may containevidenceevidence
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 4/21
Representation of dataRepresentation of data
Digital data is a sequence of 0 and 1 calledDigital data is a sequence of 0 and 1 calledbitsbits
Bit RepresentationBit Representation
littlelittle- -endianendian Intel basedIntel based
BigBig- -endianendian Sun and Mac basedSun and Mac based
Common data representation is HexadecimalCommon data representation is Hexadecimal
Another one is ASCII (table 8.1) Another one is ASCII (table 8.1) We need to use tools that display data inWe need to use tools that display data in
hexadecimal and ASCIIhexadecimal and ASCII
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 5/21
Storage MediaStorage Media
Hard disks, floppy disk, thumb drives etc.Hard disks, floppy disk, thumb drives etc.
Hard disks are the richest in digital evidenceHard disks are the richest in digital evidence
Integrated Disk Electronics (IDE) or AdvancedIntegrated Disk Electronics (IDE) or AdvancedTechnology Attachment (AT A)Technology Attachment (AT A)
Higher performance SCSI drivesHigher performance SCSI drives
Fireware is an adaptation of SCSI standards that Fireware is an adaptation of SCSI standards that
provides high speed access to a chain of devicesprovides high speed access to a chain of devices All hard drives contain platters made of light, All hard drives contain platters made of light,
righid material such aluminum, ceramic or glassrighid material such aluminum, ceramic or glass
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 6/21
More on Hard DrivesMore on Hard Drives
Platters have a magnetic coating on both sides andPlatters have a magnetic coating on both sides andspin between a pair of read/write headsspin between a pair of read/write heads
These heads move like a needle on top of the old LPThese heads move like a needle on top of the old LP
records but on a cushion of air created by the diskrecords but on a cushion of air created by the diskabove the surfaceabove the surface
The heads can align particles of magnetic mediaThe heads can align particles of magnetic mediacalled writing, and can detect how the magneticcalled writing, and can detect how the magneticparticles are assignedparticles are assigned called readingcalled reading
Particles aligned one way are considered 0 andParticles aligned one way are considered 0 andaligned another way 1aligned another way 1
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 7/21
StorageStorage
Cylinders are the data tracks that the data isCylinders are the data tracks that the data isbeing recorded onbeing recorded on
Each track/cylinder is divided intoEach track/cylinder is divided into sectorssectors that that
contain 512 bytes of informationcontain 512 bytes of information 512*8 bits of information512*8 bits of information
Location of data can be determined by whichLocation of data can be determined by whichcylindercylinder they are on whichthey are on which headhead can accesscan access
them and whichthem and which sectorsector contains them or CHScontains them or CHSaddressingaddressing
Capacity of a hard drive # of C*H*S*512Capacity of a hard drive # of C*H*S*512
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 8/21
LimitationsLimitations
When the investigation revealsWhen the investigation revealsevidence that the activity falls withinevidence that the activity falls withinreportable crimes;reportable crimes;
When the investigation reveals that When the investigation reveals that the trail of evidence extends beyondthe trail of evidence extends beyond
the boundaries of your enterprisethe boundaries of your enterprisenetwork; andnetwork; and
When you know youre over yourWhen you know youre over yourhead.head.
Event Discovery Analysis Decision Investigate
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 9/21
File System LocationsFile System Locations
SKIP SECTION 8.5 for nowSKIP SECTION 8.5 for now
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 10/21
Very Brief Intro to Encryption Very Brief Intro to Encryption
Encryption is a process that translated plaintext/digitalEncryption is a process that translated plaintext/digitalobject into unreadable format or digital object object into unreadable format or digital object
Encryption uses the concept of aEncryption uses the concept of a keykey which is a type of which is a type of data that when applied using a specific algorithm willdata that when applied using a specific algorithm willresult in unreadable dataresult in unreadable data
Symmetric EncryptionSymmetric Encryption decryption is simply adecryption is simply a
reverse of the encryption (using the same key)reverse of the encryption (using the same key)
Asymmetric Encryption Asymmetric Encryption decryption process isdecryption process isdifferent from encryption and usually done withdifferent from encryption and usually done with
different keysdifferent keys
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 11/21
Digital SignaturesDigital Signatures
Electronic method to ensure:Electronic method to ensure:
Data is from who it says it is fromData is from who it says it is from
Data has NOT
been alteredData has NOT
been altered Important for eImportant for e- -commerce transactionscommerce transactions
Works whether or not the document itself Works whether or not the document itself
is encryptedis encrypted
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 12/21
Digital SignaturesDigital Signatures Sender builds the signature using a private keySender builds the signature using a private key
Recipient decodes the signature using theRecipient decodes the signature using thesenders public keysenders public key
To ensure no changes to data, messages can beTo ensure no changes to data, messages can behashedhashed
HashingHashing (somewhat akin to CRC) calculates a(somewhat akin to CRC) calculates aunique value for the document unique value for the document
Receiver reReceiver re- -calculates the hash and compares tocalculates the hash and compares tothe received hashthe received hash
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 13/21
The digital signature process.The digital signature process.
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 14/21
EthicsEthics
Very hard to define Very hard to define
Certified professionals are held to a highCertified professionals are held to a high
standardsstandards Should be part of an organizationalShould be part of an organizational
behavior and culturebehavior and culture
Generate guidelines for ethics and Net Generate guidelines for ethics and Net- - ethicsethics
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 15/21
(ISC)(ISC)22 Code of EthicsCode of Ethics
Conduct in accordance with highest moral standardsConduct in accordance with highest moral standards
Not be a party of any unlawful or unethical act Not be a party of any unlawful or unethical act
Report any unlawful actsReport any unlawful acts
Support and be active in promoting best informationSupport and be active in promoting best informationsecurity practicessecurity practices
Provide competent services to their clients, employees &Provide competent services to their clients, employees &communitycommunity
Be professionalBe professional
Do not misuse information they have access toDo not misuse information they have access to
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 16/21
CEI 10 Cs of Computer EthicsCEI 10 Cs of Computer Ethics - - ThouThou
ShallShall
I.I. Not use a computer to harm otherNot use a computer to harm otherpeoplepeople
II.II. Not interfere with other peoples workNot interfere with other peoples work
III.III. Not snoop around in other peoplesNot snoop around in other peoplescomputer filescomputer files
IV.IV. Use a computer to stealUse a computer to steal
V. V. Use a computer to bear false witnessUse a computer to bear false witness
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 17/21
Computer Ethics Institute 10 Cs of Computer Ethics Institute 10 Cs of Computer EthicsComputer Ethics - - Thou ShallThou Shall
VI. VI. Not copy or use proprietary software for which youNot copy or use proprietary software for which youhave not paidhave not paid
VII. VII. Not use other peoples computer resources without Not use other peoples computer resources without authorization or the proper compensationauthorization or the proper compensation
VIII. VIII. Not appropriate other peoples intellectual output Not appropriate other peoples intellectual output IX.IX. Think about the social consequences of the programThink about the social consequences of the program
you are writing for the system you are designingyou are writing for the system you are designingX.X. Use a computer in ways that ensure considerationUse a computer in ways that ensure consideration
and respect for your fellow humanand respect for your fellow human
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 18/21
Good Internet Conduct Good Internet Conduct
Unacceptable and unethical activities:Unacceptable and unethical activities: Seeks to gain unauthorized access to resources of theSeeks to gain unauthorized access to resources of the
internet internet
Destroys integrity of computer based informationDestroys integrity of computer based information Disrupts the use of the internet Disrupts the use of the internet
Wastes resources such as people, capacity andWastes resources such as people, capacity andcomputers via these actionscomputers via these actions
Compromises privacy of usersCompromises privacy of users
Involves negligence in the conduct of internet wideInvolves negligence in the conduct of internet wideexperimentsexperiments
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 19/21
References (General)References (General)
http://www.dcfl.gov/home.asphttp://www.dcfl.gov/home.asp http://www.porcupine.org/forensics/http://www.porcupine.org/forensics/ http://www.cftt.nist.gov/http://www.cftt.nist.gov/ http://www.computerworld.com/news/special/pages/0,10911,1705,00.htmlhttp://www.computerworld.com/news/special/pages/0,10911,1705,00.html http://www.itl.nist.gov/div897/docs/computer_forensics_tools_verification.htmlhttp://www.itl.nist.gov/div897/docs/computer_forensics_tools_verification.html http://seattletimes.nwsource.com/html/businesstechnology/134531230_forensics0http://seattletimes.nwsource.com/html/businesstechnology/134531230_forensics0
8.html8.html
http://www.cio.com/archive/030101/autopsy.htmlhttp://www.cio.com/archive/030101/autopsy.html http://www.csoonline.com/read/030103/machine.htmlhttp://www.csoonline.com/read/030103/machine.html http://www.sans.org/rr/incident/http://www.sans.org/rr/incident/ http://www.saic.com/infosec/computerhttp://www.saic.com/infosec/computer- -incident incident- -management.htmlmanagement.html http://www.ey.com/global/download.nsf/International/Computer_Forensics/$file/chttp://www.ey.com/global/download.nsf/International/Computer_Forensics/$file/c
omputerforensics.pdf omputerforensics.pdf http://www.crazytrain.com/http://www.crazytrain.com/
http://www.htcia.org/http://www.htcia.org/ http://www.cops.org/http://www.cops.org/ http://www.securityfocus.com/incidentshttp://www.securityfocus.com/incidents
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 20/21
Class WorkClass Work
Research the following tools. Provide at least 5 of eachResearch the following tools. Provide at least 5 of each Network vulnerability scanningNetwork vulnerability scanning
OS vulnerability scanningOS vulnerability scanning
Application vulnerability scanning Application vulnerability scanning
Digital ForensicsDigital Forensics Pretty Good Privacy (PGP) softwarePretty Good Privacy (PGP) software
For each tool indicate in a tableFor each tool indicate in a table Cost, Available for download and evaluationCost, Available for download and evaluation
Coverage and what are the requirement to be installedCoverage and what are the requirement to be installed
Description of the tool and why you like it or not like it Description of the tool and why you like it or not like it
OS flavor it works onOS flavor it works on
8/8/2019 Chap 8 EPCF
http://slidepdf.com/reader/full/chap-8-epcf 21/21
Class WorkClass Work
In not more than ½ page or two slides andIn not more than ½ page or two slides anddescribe the ethical questions concerningdescribe the ethical questions concerninghandling of digital evidencehandling of digital evidence
Based on what you have read so far, how canBased on what you have read so far, how canyou improve on the digital evidence processyou improve on the digital evidence process
List the types of possible sources of digitalList the types of possible sources of digitalevidence and a description of what they mayevidence and a description of what they mayhave that is relevant have that is relevant
List at least 10 web sites with digital forensicsList at least 10 web sites with digital forensicsservices and describe their methodology. Not services and describe their methodology. Not more than ½ page or one slidemore than ½ page or one slide