Computer Forensics application of computer Investigation and analysis techniques in the interests of determining potential legal evidence. investigation of data that can be retrieved from computer by applying scientific methods to retrieve the data. the science of capturing, processing, and investigating data security incidents and making it acceptable to a court of law. To determine the evidential value of the crime scene and related evidence. Extract, process, and interpret the factual evidence so that it proves the attacker's actions in the court. Object of computer forensics for a court of law estimate the potential impact of the malicious activity on the victim assess the intent and identity of the perpetrator ex: copyright and intellectual property theft has occurred Father of forensics Francls galton, made the first recorded study of fingerprints ... Computer forensic 3A 1.Acquire - 證據取得 2.Authenticate - 證據跟原來一樣 3.Analyze - 在無變動下分析 CSIRT(Company Security Incident Response Team) 1.早期發現incodent防止擴大 2.保護Critical Information 3.提供教育訓練 4.發展與撰寫程式 5.加強組織安全 6.減少反應時間 創建一個CSIRT 1.取得管理階層的支持 2.擬定CSIRT的戰略計畫 3.收集有關的資訊 4.設計視野 5.將CSIRT的視野與需要知道的人溝通 6.開始建立CSIRT 7.公告CSIRT refer http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view ................. Steps in forensics investigation 1. indentify the coputer crime 2. 初步評估,collect preliminary evidence 3. (optional)取得搜索令, obtain court warrant for seizure 4.perform first responder procedures 5.扣押證物, seize evidence at the crime scene 6.證物運送, transport evidence to the forensic laboratory 7.原始證物複製, create two bit stream copies of the evidence 8.確認證物複本是否與原始證物一致,generate hash value for checksum on the images 9.(Important), maintain a chain of custody 10.原始證物保存,store the original evidence in a secure location 11.證物複本分析, analyze the image copy for evidence 12.報告撰寫, prepare a forensic report 13. submit the report to the client 14.法庭做證, attend the court and testify as an expert witness key point of forensics investigation 儘量不要在原始資料上做分析 不要破壞原始設備 證據取得要符合鑑識等級的強度,需經得起法庭檢驗,可參考rules of evidence ...................... Security incident report statistic of security incident from different field to understand whole security event reference data source: verizon DBIR www.pwc.com Resource of forensics www.nij.gov 類似司法體系的學術單位,提供許多forensics guides供參考 forensicswiki.org 提供forensics相關知識 www.cert.org/forensics 提供許多研究報告和工具 digital-forensics.sans.org 提供許多forensics文章,和提供SIFT tool供學習 www.dfrws.org 知名鑑識研討會, 也有舉辦鑑識遊戲 www.forensicfocus.com 知名鑑識論壇 www.swgde.org 提供一些關於鑑識流程的document和best pratices供參考 ps: liveview:computer hard convert to VM, it is form cert .... Common organization NIST(National Institute of Standards and Technology,國家標準技術研究所) providing tools and creating procedures for testing and validating computer forensics software NIPC(National Infrastructure Protection Center) a unit of the United States federal government charged with protecting computer systems and information systems critical to the United States' infrastructure CERT(Computer emergency response teams) expert groups that handle computer security incidents CIAC(Computer Incident Advisory Capability) the original computer security incident response team at the Department of Energy. response organization tracks hoaxes as well as viruses USSS(United States Secret Service) a federal law enforcement agency under the U.S. Department of Homeland Security responsibility include Financial Crimes and Protection important leaders refer https://en.wikipedia.org/wiki/National_Infrastructure_Protection_Center https://en.wikipedia.org/wiki/Computer_emergency_response_team https://en.wikipedia.org/wiki/Computer_Incident_Advisory_Capability https://en.wikipedia.org/wiki/United_States_Secret_Service ... Common TITLE 18-CRIMES AND CRIMINAL PROCEDURE 18 U.S.C. 1029 FRAUD AND RELATED ACTIVITY IN CONNECTION WITH ACCESS DEVICES for fraud and related activity in connection with access devices like routers 18 U.S.C. 1030 FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS for computer crimes involving e-mail scams and mail fraud 18 U.S.C. 2703 REQUIRED DISCLOSURE OF CUSTOMER COMMUNICATIONS OR RECORDS for authorize this phone call and obligates the ISP to preserve e-mail records refer http://www.gpo.gov/fdsys/pkg/USCODE-2009-title18/html/USCODE-2009-title18.htm
|