Computer Forensics
application of computer Investigation and analysis techniques in the interests of determining potential legal evidence.
investigation of data that can be retrieved from computer by applying scientific methods to retrieve the data.
the science of capturing, processing, and investigating data security incidents and making it acceptable to a court of law.
To determine the evidential value of the crime scene and related evidence.
Extract, process, and interpret the factual evidence so that it proves the attacker’s actions in the court.
Object of computer forensics
for a court of law
estimate the potential impact of the malicious activity on the victim
assess the intent and identity of the perpetrator
ex:
copyright and intellectual property theft has occurred
Father of forensics
Francls galton, made the first recorded study of fingerprints
…
Computer forensic 3A
1.Acquire – 證據取得
2.Authenticate – 證據跟原來一樣
3.Analyze – 在無變動下分析
CSIRT(Company Security Incident Response Team)
1.早期發現incodent防止擴大
2.保護Critical Information
3.提供教育訓練
4.發展與撰寫程式
5.加強組織安全
6.減少反應時間
創建一個CSIRT
1.取得管理階層的支持
2.擬定CSIRT的戰略計畫
3.收集有關的資訊
4.設計視野
5.將CSIRT的視野與需要知道的人溝通
6.開始建立CSIRT
7.公告CSIRT
refer
http://wenku.baidu.com/view/da7fbcd0360cba1aa811da11.html?re=view
……………..
Steps in forensics investigation
1. indentify the coputer crime
2. 初步評估,collect preliminary evidence
3. (optional)取得搜索令, obtain court warrant for seizure
4.perform first responder procedures
5.扣押證物, seize evidence at the crime scene
6.證物運送, transport evidence to the forensic laboratory
7.原始證物複製, create two bit stream copies of the evidence
8.確認證物複本是否與原始證物一致,generate hash value for checksum on the images
9.(Important), maintain a chain of custody
10.原始證物保存,store the original evidence in a secure location
11.證物複本分析, analyze the image copy for evidence
12.報告撰寫, prepare a forensic report
13. submit the report to the client
14.法庭做證, attend the court and testify as an expert witness
key point of forensics investigation
儘量不要在原始資料上做分析
不要破壞原始設備
證據取得要符合鑑識等級的強度,需經得起法庭檢驗,可參考rules of evidence
………………….
Security incident report
statistic of security incident from different field to understand whole security event
reference data source:
verizon DBIR
www.pwc.com
Resource of forensics
www.nij.gov 類似司法體系的學術單位,提供許多forensics guides供參考
forensicswiki.org 提供forensics相關知識
www.cert.org/forensics 提供許多研究報告和工具
digital-forensics.sans.org 提供許多forensics文章,和提供SIFT tool供學習
www.dfrws.org 知名鑑識研討會, 也有舉辦鑑識遊戲
www.forensicfocus.com 知名鑑識論壇
www.swgde.org 提供一些關於鑑識流程的document和best pratices供參考
ps:
liveview:computer hard convert to VM, it is form cert
….
Common organization
NIST(National Institute of Standards and Technology,國家標準技術研究所)
providing tools and creating procedures for testing and validating computer forensics software
NIPC(National Infrastructure Protection Center)
a unit of the United States federal government charged with protecting computer systems and information systems critical to the United States’ infrastructure
CERT(Computer emergency response teams)
expert groups that handle computer security incidents
CIAC(Computer Incident Advisory Capability)
the original computer security incident response team at the Department of Energy.
response organization tracks hoaxes as well as viruses
USSS(United States Secret Service)
a federal law enforcement agency under the U.S. Department of Homeland Security
responsibility include Financial Crimes and Protection important leaders
refer
https://en.wikipedia.org/wiki/National_Infrastructure_Protection_Center
https://en.wikipedia.org/wiki/Computer_emergency_response_team
https://en.wikipedia.org/wiki/Computer_Incident_Advisory_Capability
https://en.wikipedia.org/wiki/United_States_Secret_Service
…
Common TITLE 18-CRIMES AND CRIMINAL PROCEDURE
18 U.S.C. 1029
FRAUD AND RELATED ACTIVITY IN CONNECTION WITH ACCESS DEVICES
for fraud and related activity in connection with access devices like routers
18 U.S.C. 1030
FRAUD AND RELATED ACTIVITY IN CONNECTION WITH COMPUTERS
for computer crimes involving e-mail scams and mail fraud
18 U.S.C. 2703
REQUIRED DISCLOSURE OF CUSTOMER COMMUNICATIONS OR RECORDS
for authorize this phone call and obligates the ISP to preserve e-mail records
refer
http://www.gpo.gov/fdsys/pkg/USCODE-2009-title18/html/USCODE-2009-title18.htm