Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department...
-
Upload
jasmine-casey -
Category
Documents
-
view
214 -
download
0
Transcript of Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department...
![Page 1: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/1.jpg)
Computer Forensics(Digital Forensic)
SUMMER BRIDGE PROGRAM
DR. HWAJUNG LEEDR. ASHLEY PODHRADSKY
Image Source: thecomputerforensics.info
![Page 2: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/2.jpg)
DAY ONE
![Page 3: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/3.jpg)
3
Who am I?
Dr. Hwajung Lee› Associate Professor
in the department of Information Technology
at Radford University› Email: [email protected]
Image Source: computerforensicsinfo.org
![Page 4: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/4.jpg)
Sa-rang and Coco
4
![Page 5: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/5.jpg)
5
Who is your TA?
Ms. Eileen Hindmon› in the department of Information
Technology› at Radford University
Image Source: racktopsystems.com
![Page 6: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/6.jpg)
6
Our Plan for This Week DAY ONE (Monday)
› Lecture and TWO activities Activity One: Who are you? Activity Two: Digital Forensic Cases
DAY TWO (Tuesday)› Lecture and ONE activity
Activity Three: Acquiring an Image of Evidence Media and Recovering a Deleted File
DAY THREE (Wednesday)› Lecture and TWO activities
Activity Four: Cookies and Grabbing Passwords with Wireshark Activity Five: Encryptor and Decryptor
DAY FOUR (Thursday) Activity Six: Writing a wrap-up report Activity Seven: Preparing the Friday Presentation
DAY Five (Friday) Presentation in the closing sessionSummer Bridge Program at Radford University
![Page 7: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/7.jpg)
7
Activity ONE:Who are you?
Image Source: newenglandcomputerforensics.com
![Page 8: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/8.jpg)
8
Activity ONE:Who are you?
What is your name? What is your school? What is your favorite indoor/outdoor activity? What is your favorite time of day/day of the
week/month of the year? Why? When you have 2 hours of free-time, how do
you pass the time? What do you expect from this class and
Summer Bridge Program? Anything else?
Image Source: newenglandcomputerforensics.com
![Page 9: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/9.jpg)
9
In This week, We will talk about…
What is computer forensics? Computer Forensics in the news When is computer forensics used? History of computer forensics Describe how to prepare for computer
investigations Computer Forensics Example-
AccessData FTK Imager, Wireshark, Encryptor & Decryptor
Image Source: e-crimebureau.com
![Page 10: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/10.jpg)
Forensic
Adj. - “of, relating to, or used in courts of law or public debate or argument" › From the Latin term forensis (forum)
Computer Forensics - Exceedingly poor English expression which uses the noun computer as an adjective to modify the adjective forensic as a noun
Digital Forensics – still poor English expression
I think “Forensic IT” is a better expression
Source: class note by Rob Guess
![Page 11: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/11.jpg)
11
Understanding Computer Forensics (1)
Computer forensics› Involves obtaining and analyzing digital
information › Investigates data that can be retrieved
from a computer’s hard disk or other storage media, including tasks of recovering data that users have hidden or deleted and using it as envidence. Evidence can be inculpatory (“incriminating”) or exculpatory
Image Source: en.wikipedia.org
![Page 12: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/12.jpg)
Understanding Computer Forensics (2)
Types of Evidence› Exculpatory
Proves Innocence› Inculpatory
Proves Guilt › Tampering
Proves Malfeasance or Mishandling
Source: class note by Rob Guess
![Page 13: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/13.jpg)
13
Understanding Computer Forensics (3)
Related Fields› Network forensics
Yields information about how a perpetrator or an attacker gained access to a network
› Data recovery Recovers information that was deleted by
mistake or intentionally Typically you know what you’re looking for
› Disaster recovery Uses computer forensics techniques to
retrieve information their clients have lost due to natural or man made disaster
![Page 14: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/14.jpg)
Computer Crime
Computer as an Instrument of Crime› Remote System Penetration› Instrument of Fraud › Used to Deliver Threats / Harassment› DoS Attacks
Computer as a Victim of a Crime› System Compromise
Repository of Evidence Incidental to Crime› Contraband Items › Electronic Discovery in Civil Litigation
Source: class note by Rob Guess
![Page 15: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/15.jpg)
The Importance of Being Digital People live and work in increasingly digital
modes Nearly every crime now involves some
form of digital evidence 3~4% of people will commit a crime given
the opportunity Internet based crime presents a lower
overall risk to the offender when compared to “real world” crime
This naturally encourages criminals to adapt digital modes
Source: class note by Rob Guess
![Page 16: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/16.jpg)
Digital Evidence
Name some examples of digital evidence› ________________________› ________________________› ________________________› ________________________
Source: class note by Rob Guess
Image Source: nacvaquickread.wordpress.com
![Page 17: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/17.jpg)
Sources of Digital Evidence
Open Computer Systems› PC’s, Servers, Etc
Communication Systems › Telecommunications Systems› Transient Network (content) Data › Non-transient (log) Data
Embedded Computer Systems › PDAs, Cell Phones, iPods, iPhone, Etc
Source: class note by Rob Guess
![Page 18: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/18.jpg)
Crimes Involving Digital Evidence
Traditional crimes Theft of Trade Secrets Harassment Intrusion Events Malicious Code
Child Pornography Inappropriate Use Others?
Source: class note by Rob Guess
![Page 19: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/19.jpg)
20
Activity TWO: Digital Forensic Cases (1)
BTK Killer› http://precisioncomputerinvestigations.wor
dpress.com/2010/04/14/how-computer-forensics-solved-the-btk-killer-case/
Michael Jackson› http://www.dfinews.com/news/michael-jack
son-death-trial-showcases-iphone-forensics
Caylee Anthony› http://www.christianpost.com/news/casey-
anthony-trial-computer-expert-unearths-chloroform-internet-searches-50980/
![Page 20: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/20.jpg)
21
Activity TWO: Digital Forensic Cases (2)
The Dangers of Internet› http://precisioncomputerinvestigations.wor
dpress.com/2010/04/13/the-dangers-of-the-internet/
Facebook and Skype Forensics› Findings of a Facebook Forensic Analysis
http://precisioncomputerinvestigations.wordpress.com/2010/03/09/findings-of-a-facebook-analysis/
› Chat History http://precisioncomputerinvestigations.word
press.com/tag/skype-forensics/
![Page 21: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/21.jpg)
22
Activity TWO: Digital Forensic Cases (3)
What Computer Forensics Can Do For You› http://precisioncomputerinvestigations.wo
rdpress.com/2010/04/08/what-computer-forensics-can-do-for-you/
Corporate Fraud – A Case Study› http://precisioncomputerinvestigations.wo
rdpress.com/2010/03/29/corporate-fraud-a-case-study/
Corporate Investigation – A Case Study› http://precisioncomputerinvestigations.wo
rdpress.com/2010/03/24/corporate-investigation-a-case-study/
![Page 22: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/22.jpg)
DAY TWO
![Page 23: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/23.jpg)
700 AD Chinese Use Fingerprints for ID 1248 AD First recorded application of
medical knowledge to the solution of crime - Chinese Text “A Washing Away of Wrongs” contains a description of how to distinguish drowning from strangulation
Origins of Forensic Science
Source: class note by Rob GuessImage Source: thecomputerforensics.info
![Page 24: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/24.jpg)
Outlaw son of a Baker In return for a suspension of arrest and a
jail sentence, Vidocq made a deal with the police to establish the first detective force, the Sûreté of Paris (1811)
Introduced record keeping, ballistics, plaster casts for footprint analysis, etc
Founded the first modern detective agency and credit bureau
Eugene Francois Vidoca
Source: class note by Rob Guess
![Page 25: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/25.jpg)
French Law Officer Anthropometry/Bertillonage
- Early system of biometrics using measurements of body parts to ID perpetrators / victims
Introduced use of crime scene photography and mug shots
Alphonse Bertillon (1853~1914)
Source: class note by Rob Guess
Image Source: http://www.britannica.com/EBchecked/topic/62827/Alphonse-Bertillon
![Page 26: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/26.jpg)
Student of Bertillon Professor of forensic medicine at the
University of Lyons Established the First Crime Laboratory Developed Edgeoscopy and Poreoscopy
› Standard 12 Points to ID a fingerprint Developed Forensic Microscopy
Edmond Lacard
Source: class note by Rob Guess
![Page 27: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/27.jpg)
28
Edgeoscopy and Poreoscopy› The figure below shows a high resolution
fingerprint image and images, highlighting the pores, ridge contours, and edgeoscopic points.
Summer Bridge Program at Radford University
Input Pores Ridge contoursEdgeoscopic pointsSource: http://sourceforge.net/apps/mediawiki/level3tk/index.php?title=Main_Page
![Page 28: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/28.jpg)
29
Microscopy › the technical field of using microscopes to
view samples and objects that cannot be seen with the unaided eye (objects that are not within the resolution range of the normal eye).
Summer Bridge Program at Radford University
Source: http://en.wikipedia.org/wiki/Microscopy
![Page 29: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/29.jpg)
A Brief History of Computer Forensics (1)
1970s, electronic crimes were increasing, especially in the financial sector Most law enforcement officers didn’t know
enough about computers to ask the right questions
Or to preserve evidence for trialFraction of a penny crime
30
![Page 30: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/30.jpg)
A Brief History of Computer Forensics (2)
1980s› Norton DiskEdit soon followed
And became the best tool for finding deleted file
› Apple produced the Mac SE A Macintosh with an external EasyDrive hard
disk with 60 MB of storage
31
![Page 31: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/31.jpg)
A Brief History of Computer Forensics (3)
Since 1990s Tools for computer forensics were available International Association of Computer
Investigative Specialists (IACIS) www.iacis.com
Training on software for forensics investigations
ExpertWitness for the MacintoshFirst commercial GUI software for computer
forensicsCreated by ASR Data (www.asrdata.com)
32Portable Forensic ToolsImage Source: atp-p51.com
![Page 32: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/32.jpg)
33
Understanding Case Law
Technology is evolving at an exponential pace› Existing laws and statutes can’t keep up change
Case law used when statutes or regulations don’t exist
Case law allows legal counsel to use previous cases similar to the current one› Because the laws don’t yet exist
Each case is evaluated on its own merit and issues
![Page 33: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/33.jpg)
34
Preparing for Computer Investigations
Computer investigations and forensics falls into two distinct categories› Public investigations› Private or corporate investigations
Public investigations› Involve government agencies responsible
for criminal investigations and prosecution› Organizations must observe legal guidelines
Law of search and seizure› Protects rights of all people, including
suspects
![Page 34: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/34.jpg)
35
Preparing for Computer Investigations
Private or corporate investigations Deal with private companies, non-law-
enforcement government agencies, and lawyers Aren’t governed directly by criminal law or
Fourth Amendment issues Governed by internal policies that define expected
employee behavior and conduct in the workplace Private corporate investigations also involve
litigation disputes Investigations are usually conducted in civil
cases
![Page 35: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/35.jpg)
36
Understanding Corporate Investigations
Private or corporate investigations Involve private companies and lawyers who
address company policy violations and litigation disputes
Corporate computer crimes can involve: E-mail harassment Falsification of data Gender and age discrimination Embezzlement Sabotage Industrial espionage
![Page 36: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/36.jpg)
37
Understanding Corporate Investigations
Establishing company policies› One way to avoid litigation is to publish and
maintain policies that employees find easy to read and follow
› Published company policies provide a line of authority For a business to conduct internal investigations
› Well-defined policies Give computer investigators and forensic examiners
the authority to conduct an investigation Displaying Warning Banners
› Another way to avoid litigation
![Page 37: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/37.jpg)
38
Professional conduct Determines your credibility Includes ethics, morals, and standards of behavior
Maintaining objectivity means you must form and sustain unbiased opinions of your cases
Maintain an investigation’s credibility by keeping the case confidential In the corporate environment, confidentiality is
critical In rare instances, your corporate case might
become a criminal case as serious as murder
Maintaining Professional Conduct
![Page 38: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/38.jpg)
39
Maintaining Professional Conduct
Role of computer forensics professional is to gather evidence› Forensic Investigators are not police officers, it
is our duty to show what happened, not prove guilt or innocence.
Collect evidence that can be offered in court or at a corporate inquiry› Investigate the suspect’s computer› Preserve the evidence on a different computer
Chain of custody› Route the evidence taken from the time you
find it until the case is closed or goes to court
![Page 39: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/39.jpg)
40
Taking a Systematic Approach
Steps for problem solving› Make an initial assessment about the type of
case you are investigating› Determine the resources you need› Obtain and copy an evidence disk drive› Identify the risks- Mitigate or minimize the
risks› Analyze and recover the digital evidence› Investigate the data you recover› Complete the case report› Critique the case
![Page 40: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/40.jpg)
42
Securing Your Evidence
Use evidence bags to secure and catalog the evidence
Use computer safe products› Antistatic bags› Antistatic pads
Use well padded containers Use evidence tape to seal all openings Power supply electrical cord. Write your initials on tape to prove that
evidence has not been tampered with Consider computer specific
temperature and humidity ranges
![Page 41: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/41.jpg)
43
Understanding Data Recovery Workstations and Software
Investigations are conducted on a computer forensics lab (or data-recovery lab)
Computer forensics and data-recovery are related but different
Computer forensics workstation› Specially configured personal computer› Loaded with additional bays and forensics
software To avoid altering the evidence use:
› Forensics boot disk, Write-blockers devices, Network interface card (NIC), Extra USB ports, FireWire 400/800 ports, SCSI card, Disk editor tool, Text editor tool, Graphics viewer program, Other specialized viewing tools
![Page 42: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/42.jpg)
Sources of File System Evidence
File Slack Free Space - “Unallocated” Clusters Deleted Files Page File / Swap Partition Unpartitioned “Free” Space Host Protected Areas
Source: class note by Rob Guess
![Page 43: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/43.jpg)
45
Understanding Bit-Stream Copies (1)
Bit-stream copy Bit-by-bit copy of the original storage
medium Exact copy of the original disk Different from a simple backup copy
Backup software only copy known filesBackup software cannot copy deleted files,
e-mail messages or recover file fragments
![Page 44: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/44.jpg)
46
Understanding Bit-Stream Copies (2)
Bit-stream image File containing the bit-stream copy of all
data on a disk or partition Also known as forensic copy
![Page 45: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/45.jpg)
47
Class Activity THREE: Acquiring an Image of Evidence Media and Recovering a Deleted File
First rule of computer forensics› Preserve the original evidence
Conduct your analysis only on a copy of the data
Use FTK Imager to create a forensic image› http://accessdata.com/support/adownloads
Your job is to recover data from deleted files
![Page 46: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/46.jpg)
DAY THREE
![Page 47: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/47.jpg)
Web Browsing Application
World Wide Web allows users to access resources (i.e. documents) located in computers connected to the Internet
Documents are prepared using HyperText Markup Language (HTML)
A browser application program is used to access the web
The browser displays HTML documents that include links to other documents
Each link references a Uniform Resource Locator (URL) that gives the name of the machine and the location of the given document
Let’s see what happens when a user clicks on a link
Source: Communication Networks, Leon-Garcia and Widjaja
![Page 48: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/48.jpg)
User clicks on http://www.nytimes.com/ URL contains Internet name of machine (
www.nytimes.com), but not Internet address Internet needs Internet address to send
information to a machine Browser software uses Domain Name System
(DNS) protocol to send query for Internet address DNS system responds with Internet address
Q. www.nytimes.com?
A. 64.15.247.200
1. DNS
Source: Communication Networks, Leon-Garcia and Widjaja
![Page 49: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/49.jpg)
Browser software uses HyperText Transfer Protocol (HTTP) to send request for document
HTTP server waits for requests by listening to a well-known port number (80 for HTTP)
HTTP client sends request messages through an “ephemeral port number,” e.g. 1127
HTTP needs a Transmission Control Protocol (TCP) connection between the HTTP client and the HTTP server to transfer messages reliably
TCP Connection RequestFrom: 128.100.11.13 Port 1127To: 64.15.247.200 Port 80
2. TCP
ACK, TCP Connection RequestFrom: 64.15.247.200 Port 80 To:128.100.11.13 Port 1127
ACK
Source: Communication Networks, Leon-Garcia and Widjaja
![Page 50: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/50.jpg)
HTTP client sends its request message: “GET …” HTTP server sends a status response: “200 OK” HTTP server sends requested file Browser displays document Clicking a link sets off a chain of events across
the Internet! Let’s see how protocols & layers come into play…
GET / HTTP/1.1
200 OK
3. HTTP
Content
Source: Communication Networks, Leon-Garcia and Widjaja
![Page 51: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/51.jpg)
53
ACTIVITY FOUR:Cookies and Grabbing Passwords with Wireshark
Wireshark› http://www.wireshark.org/download.html
Grabbing cookies› http://www.httprecipes.com/1/2/cookies.php Source: The website is provided By Heaton Research, Inc.
Grabbing Password› http://www.httprecipes.com/1/2/forms.php Source: The website is provided By Heaton Research, Inc.
Summer Bridge Program at Radford University
![Page 52: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/52.jpg)
Attacking Analysis
Evasion of Detection› Avoid Writing to Disk› Make Data look Innocent
Evidence Hiding › Presence of Encrypted Data*› Evidence of Steganography*› ADS*, Files Within Files, Slack Space, Bad
Blocks Insertion
› Insert Erroneous or Misleading Data› Randomize / Modify File System MAC Times
Red Flags* Source: class note by Rob Guess
![Page 53: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/53.jpg)
Encryption Terms
Plaintext – Original Message Algorithm – Transformation Procedure Key – Variable used to scramble
message Ciphertext – Resulting garbled output
Source: class note by Rob Guess
![Page 54: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/54.jpg)
56
ACTIVITY FIVE:Encryptor and Decryptor
PKI Demo Applet› http://cisnet.baruch.cuny.edu/holowczak/cl
asses/9444/rsademo/
Summer Bridge Program at Radford University
![Page 55: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/55.jpg)
Steganography (1)
The Science of Hiding Information› History – Tablets, shaved heads› Now - Images, sounds, other files
Data is frequently encrypted› Frequency analysis can detect this
Source: class note by Rob Guess
![Page 56: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/56.jpg)
Steganography (2)
Source: http://petitcolas.net/fabien/steganography/image_downgrading/index.html
The image in which we want to hide another image:‘Arctic hare’ – Copyright photos courtesy of Robert E. Barber, Barber Nature Photography ([email protected])
![Page 57: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/57.jpg)
Steganography (3)
Source: http://petitcolas.net/fabien/steganography/image_downgrading/index.html
The image we wish to hide: ‘F15’ – Copyright photo courtesy of Toni Lankerd, 18347 Woodland Ridge Dr. Apt #7, Spring Lake, MI 49456, U.S.A. ([email protected])
![Page 58: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/58.jpg)
DAY FOUR
![Page 59: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/59.jpg)
61
Activity Six:Write a Wrap-up report: 1 hour
Please include the following in your report and email it to me at [email protected] › What is your name?› What did you learn from this class?› What do you like most in this class?› Do you have any suggestions to improve
this class?› Any memo to me (Instructor) and TA?› Anything else?
Summer Bridge Program at Radford University
![Page 60: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/60.jpg)
62
Activity SEVEN:Prepare the Friday presentation
Today’s plan› Brainstorming: about 30 minutes› Prepare the presentation: about 2 hours
Presentation Length: 10 minutes
Summer Bridge Program at Radford University
![Page 61: Image Source: thecomputerforensics.info. Dr. Hwajung Lee › Associate Professor in the department of Information Technology at Radford University.](https://reader036.fdocuments.us/reader036/viewer/2022081603/56649f125503460f94c256e3/html5/thumbnails/61.jpg)
Any Questions?