Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.
-
Upload
george-carpenter -
Category
Documents
-
view
217 -
download
1
Transcript of Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.
![Page 1: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/1.jpg)
Jay M. Lightfoot, Ph.D., GCFASpring 2015
BACS 371 Computer Forensics
![Page 2: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/2.jpg)
Welcome!
Welcome to BACS 371—Computer Forensics. This course will likely be one of the most challenging (and interesting) courses of your degree program.
It is a mixture of law enforcement, technical computer science, and psychology.
![Page 3: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/3.jpg)
Computer Forensics…
… involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.1
1Kruse & Heiser, Computer Forensics: Incident Response Essentials, Lucent Technologies, 2002
![Page 4: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/4.jpg)
Computer Crime in Pop Culture
![Page 5: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/5.jpg)
![Page 6: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/6.jpg)
Course Overview
Syllabus Reading
Textbooks Supplementary Articles
Grading In-Class Assignments Homework (papers, podcast write-ups, forensic
problems, …) Labs Quizzes Exams Misc.
![Page 7: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/7.jpg)
In-Class work
Periodically I will assign relatively small projects that are intended to be done during class.
These will be due at the beginning of the next class period.
Often, you won’t finish the project during class, so despite the “in-class” name, you will sometimes need to work on them out of class also.
To minimize this, I will partially “flip” the class so that some lectures and software demonstrations are recorded. You will need to watch these recordings before class in order to get the full benefit of the exercise.
![Page 8: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/8.jpg)
Homework
Homework will periodically be assigned. Homework problems are more elaborate
than in-class work and generally take more time.
You will generally not be given class-time to work on homework.
It is due at the beginning of the period on the due date.
Most homework are “individual assignments.”
![Page 9: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/9.jpg)
Lab Projects
Lab projects are more elaborate than in-class work and normally take several days to complete.
Most lab projects will be “group projects”. A group consists of 2 people. One project is turned
in for the group and both members share the same grade.
It is up to you to make sure that each member understands the project well enough to answer questions on the test.
Off-hour lab access can be arranged via your Bear Card.
Some special hardware may be assigned to your group. You are responsible for keeping track of it and making sure that it is put up after use.
You will each need to have a USB flash drive (8GB or more).
Optionally, you may also want to purchase a 2.5 inch external drive (80 GB minimum).
![Page 10: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/10.jpg)
Quizzes
Quizzes are short, unannounced “tests” that are given over recently covered material.
They are normally given at the beginning of class.
If you arrive late, you do not have extra time to complete them.
There are no make-up quizzes (but I do drop the lowest quiz grade).
They are intended to help you know areas that you need to study prior to the tests.
![Page 11: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/11.jpg)
Examinations
There are 3 examinations in this course. The first 2 are worth 15% of your grade
and the 3rd (i.e., the “final”) is worth 25%.
The final is comprehensive. The first 2 examinations only cover the new material (to the extent possible).
There are rules that allow you to make up one of the first 2 examinations; but you cannot make up the final. See syllabus for details.
![Page 12: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/12.jpg)
Course Expectations
This is a new field – help me create content for the semester!
Work hard, read all assignments, look for alternative sources of information
Ask Questions!! Be Curious! Be sure you understand as you go. Fast pace! Somewhat obscure material! (but it’s also very
interesting) Learn from your classmates When you learn new things, Teach the rest
of us!
![Page 13: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/13.jpg)
Create a Course Binder*
Reading Supplementary Articles Notes distributed during class
Assignments In-Class Activities Labs Homework Assignments
Presentation Slides Class Notes Document templates
Chain of custody Evidence gathering notes etc.
Other References
* This is just a suggestion, it is not required
![Page 14: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/14.jpg)
Internet Crime Complaint Center2013 Internet Fraud Crime Report (latest available)
Internet Fraud Complaint Center (IFCC) began operation May 8, 2000 Partnership between National White Collar Crime Center (NW3C) and
the Federal Bureau of Investigation (FBI) Vehicle to receive, develop, and refer criminal complaints in cyber
crime Renamed Internet Computer Crime Complaint Center (IC3) on
December 1, 2003 http://www.ic3.gov
Data from January 1, 2012 – December 31, 2013 262,813 complaints received for $781,841,611 (48.8% $ increase over
2012) 119,457 of these involved a monetary loss Average dollar loss: $6,245Top 5 reported loss categories (as of 2011 report): FBI-Relates scams: 35,764 Advanced fee fraud: 27,892 Identity theft: 28,915 Non-Auction, Non-delivery of merchandise: 22,404 Overpayment fraud: 18,511
![Page 15: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/15.jpg)
Annual IC3 Complaints
Yearly Dollar Loss (in millions)
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130
50000
100000
150000
200000
250000
300000
350000
400000
50,412
75,064
124,449
207,492
231,493
207,492206,884
275,284
336,655
303,809314,246
289,874
262,813
Annual IC3 Complaints
Total IC3 Complaints
![Page 16: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/16.jpg)
Yearly Dollar Loss Trend
Yearly Dollar Loss (in millions)
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130
100
200
300
400
500
600
700
800
900
17.854
125.6
68.1
183.1 198.4239.1
264.6
559.7525
458.3
525.4
781.8
Yearly Dollar Loss (in millions)
Total $ Loss
![Page 17: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/17.jpg)
FBI Computer Forensics Lab in Colorado
http://www.rcfl.gov/http://www.rmrcfl.org/
CENTENNIAL, COLO. (AP) _ A NEW FORENSIC LABORATORY WILL OPEN NEXT MONTH TO HELP LAW ENFORCEMENT AUTHORITIES IN COLORADO AND WYOMING INVESTIGATE CRIMES INVOLVING TECHNOLOGY. ANALYSTS AT THE ROCKY MOUNTAIN REGIONAL COMPUTER FORENSIC LABORATORY IN CENTENNIAL CAN WORK WITH SEIZED COMPUTERS TO DREDGE UP DELETED FILES, SEE WHAT WEB SITES HAVE BEEN DISPLAYED AND FIND E-MAIL MESSAGES. DENVER (AP) _ THE NUMBER OF INCIDENTS INVOLVING NURSES AND OTHER MEDICAL PROFESSIONALS STEALING DRUGS MEANT FOR PATIENTS IS GROWING -- DESPITE TECHNOLOGY IN NARCOTICS DISPENSERS THAT MAKES THAT INCREASINGLY DIFFICULT. STATE OFFICIALS SAYS THERE WERE 76 CASES OF ``DIVERTED DRUGS'' IN COLORADO'S HOSPITALS THIS FISCAL YEAR -- ALMOST TRIPLE THE 26 reported in FISCAL YEAR 2001.
![Page 18: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/18.jpg)
16 Regional Forensic Labs
![Page 21: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/21.jpg)
RCFL Statistics - 2012
![Page 23: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/23.jpg)
Famous Cases with Forensic Links Enron BTK Serial Killer Chandra Levy Wikileaks Times Square bomber Dr. Conrad Murray (Michael Jackson’s
physician) . . .
![Page 24: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/24.jpg)
Laws and Statues Coverage
Computer forensics deals with laws: Regarding Computer Crime Regarding Collection of Digital Evidence Regarding Handling of Digital Evidence Regarding Disposition & Analysis of
Digital Evidence Regarding Privacy
And many of these laws are “dynamic”
![Page 25: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/25.jpg)
Computer Basics
Hardware Hard Drive Removable Drives (“thumb drives”) RAM Networking (minimal classroom coverage)
Software Operating Systems (DOS/Windows/UNIX) File Systems (FAT32/NTFS/EXT3) Applications (MS Word, Adobe, Outlook, …)
![Page 26: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/26.jpg)
Computer Forensic Methods
Active Data Data intentionally remaining on the
computer Data hidden in plain sight
Latent Data Data unintentionally remaining on the
computer Data recoverable by forensic methods
“Live” vs. “Dead” (aka “static”) analysis
![Page 27: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/27.jpg)
Forensic Tools - WinHex
![Page 28: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/28.jpg)
Forensic Tools – Directory Snoop
![Page 29: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/29.jpg)
Forensic Tools – Shadow Explorer
![Page 30: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/30.jpg)
Forensic Tools – Partition Manager
![Page 31: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/31.jpg)
Forensic Tools – FTK Imager
![Page 32: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/32.jpg)
BACS 371 Will Not Cover
Network Forensics File Systems other than FAT/NTFS
E.g.: no Mac, Solaris, DVD, CD, … Malware
E.g.: Viruses, Trojan Horses, Spyware, … Mobile Devices Prevention Advanced Data Hiding
Breaking Password Protection Encrypted Files Steganography
![Page 33: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/33.jpg)
Certification Agency Notes Website
CCE – Certified Computer Examiner
ISFCE – International Society of Forensic Computer Examiners
Pass online exam and hands-on test
http://www.certified-computer-examiner.com/
CFCE – Certified Forensic Computer Examiner
IACIS – International Association of Computer Investigation Specialists
Must be sworn law enforcement officer or govt employee
GIAC - Global Information Assurance Certification
GCFA – GIAC Certified Forensic Analyst
SANS Institute http://www.sans.org/
CCCI, CCFT – Certified Computer Crime Investigator, Certified Computer Forensic Technician
HTCN – High Tech Crime Network
http://www.htcn.org/
Tool Specific Certifications
OSU – Oregon State University
EnCase
As part of the NTI Training Class
Computer Forensics Certifications
![Page 34: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/34.jpg)
Careers in Computer Forensics Law Enforcement Criminal Investigation Corporate Computer Security DoD/Military/Government Information Technology Consulting Firms Expert Witness
![Page 35: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/35.jpg)
Computer Forensics Job Trends*
* As of January 2015
![Page 36: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/36.jpg)
Computer Forensics Salary Average*
* As of January 2015
![Page 37: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/37.jpg)
Characteristics of a Good Cyber Investigator1
Excellent observation skills Good memory Organization skills Documentation skills Objectivity Knowledge Ability to think like a criminal Intellectually controlled constructive imagination Curiosity Stamina Patience Love of learning
1Scene of the Cybercrime, Shinder & Tittel, p.136
![Page 38: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/38.jpg)
Plus1…
A basic knowledge of computer science An understanding of computer networking
protocols Knowledge of computer jargon An understanding of hacker culture Knowledge of computer and networking
security issues Knowledge of computer file systems (FAT,
FAT32, NTFS, Ext2, etc)
1Scene of the Cybercrime, Shinder & Tittel, p.136
![Page 39: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/39.jpg)
The Perfect Forensics Candidate1
Strong Computer Skills Investigative Background Understanding of state and federal
statutes relating to the collection and preservation of evidentiary data
Understanding of criminal statues High ethical and moral standards
1The Perfect Forensics Candidate, Computerworld, January 14, 2002, http://www.computerworld/com/printthis/2002/0,4814,67228,00.html
![Page 40: Jay M. Lightfoot, Ph.D., GCFA Spring 2015 BACS 371 Computer Forensics.](https://reader035.fdocuments.us/reader035/viewer/2022062517/56649eaa5503460f94bafb11/html5/thumbnails/40.jpg)
BACS 371
SO, are you ready to get started!