Jay M. Lightfoot, Ph.D., GCFASpring 2015

BACS 371 Computer Forensics

Welcome!

Welcome to BACS 371—Computer Forensics. This course will likely be one of the most challenging (and interesting) courses of your degree program.

It is a mixture of law enforcement, technical computer science, and psychology.

Computer Forensics…

… involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis.1

1Kruse & Heiser, Computer Forensics: Incident Response Essentials, Lucent Technologies, 2002

Computer Crime in Pop Culture

Course Overview

Syllabus Reading

Textbooks Supplementary Articles

Grading In-Class Assignments Homework (papers, podcast write-ups, forensic

problems, …) Labs Quizzes Exams Misc.

In-Class work

Periodically I will assign relatively small projects that are intended to be done during class.

These will be due at the beginning of the next class period.

Often, you won’t finish the project during class, so despite the “in-class” name, you will sometimes need to work on them out of class also.

To minimize this, I will partially “flip” the class so that some lectures and software demonstrations are recorded. You will need to watch these recordings before class in order to get the full benefit of the exercise.

Homework

Homework will periodically be assigned. Homework problems are more elaborate

than in-class work and generally take more time.

You will generally not be given class-time to work on homework.

It is due at the beginning of the period on the due date.

Most homework are “individual assignments.”

Lab Projects

Lab projects are more elaborate than in-class work and normally take several days to complete.

Most lab projects will be “group projects”. A group consists of 2 people. One project is turned

in for the group and both members share the same grade.

It is up to you to make sure that each member understands the project well enough to answer questions on the test.

Off-hour lab access can be arranged via your Bear Card.

Some special hardware may be assigned to your group. You are responsible for keeping track of it and making sure that it is put up after use.

You will each need to have a USB flash drive (8GB or more).

Optionally, you may also want to purchase a 2.5 inch external drive (80 GB minimum).

Quizzes

Quizzes are short, unannounced “tests” that are given over recently covered material.

They are normally given at the beginning of class.

If you arrive late, you do not have extra time to complete them.

There are no make-up quizzes (but I do drop the lowest quiz grade).

They are intended to help you know areas that you need to study prior to the tests.

Examinations

There are 3 examinations in this course. The first 2 are worth 15% of your grade

and the 3rd (i.e., the “final”) is worth 25%.

The final is comprehensive. The first 2 examinations only cover the new material (to the extent possible).

There are rules that allow you to make up one of the first 2 examinations; but you cannot make up the final. See syllabus for details.

Course Expectations

This is a new field – help me create content for the semester!

Work hard, read all assignments, look for alternative sources of information

Ask Questions!! Be Curious! Be sure you understand as you go. Fast pace! Somewhat obscure material! (but it’s also very

interesting) Learn from your classmates When you learn new things, Teach the rest

of us!

Create a Course Binder*

Reading Supplementary Articles Notes distributed during class

Assignments In-Class Activities Labs Homework Assignments

Presentation Slides Class Notes Document templates

Chain of custody Evidence gathering notes etc.

Other References

* This is just a suggestion, it is not required

Internet Crime Complaint Center2013 Internet Fraud Crime Report (latest available)

Internet Fraud Complaint Center (IFCC) began operation May 8, 2000 Partnership between National White Collar Crime Center (NW3C) and

the Federal Bureau of Investigation (FBI) Vehicle to receive, develop, and refer criminal complaints in cyber

crime Renamed Internet Computer Crime Complaint Center (IC3) on

December 1, 2003 http://www.ic3.gov

Data from January 1, 2012 – December 31, 2013 262,813 complaints received for $781,841,611 (48.8% $ increase over

2012) 119,457 of these involved a monetary loss Average dollar loss: $6,245Top 5 reported loss categories (as of 2011 report): FBI-Relates scams: 35,764 Advanced fee fraud: 27,892 Identity theft: 28,915 Non-Auction, Non-delivery of merchandise: 22,404 Overpayment fraud: 18,511

Annual IC3 Complaints

Yearly Dollar Loss (in millions)

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130

50000

100000

150000

200000

250000

300000

350000

400000

50,412

75,064

124,449

207,492

231,493

207,492206,884

275,284

336,655

303,809314,246

289,874

262,813

Annual IC3 Complaints

Total IC3 Complaints

Yearly Dollar Loss Trend

Yearly Dollar Loss (in millions)

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 20130

100

200

300

400

500

600

700

800

900

17.854

125.6

68.1

183.1 198.4239.1

264.6

559.7525

458.3

525.4

781.8

Yearly Dollar Loss (in millions)

Total $ Loss

FBI Computer Forensics Lab in Colorado

http://www.rcfl.gov/http://www.rmrcfl.org/

CENTENNIAL, COLO. (AP) _ A NEW FORENSIC LABORATORY WILL OPEN NEXT MONTH TO HELP LAW ENFORCEMENT AUTHORITIES IN COLORADO AND WYOMING INVESTIGATE CRIMES INVOLVING TECHNOLOGY. ANALYSTS AT THE ROCKY MOUNTAIN REGIONAL COMPUTER FORENSIC LABORATORY IN CENTENNIAL CAN WORK WITH SEIZED COMPUTERS TO DREDGE UP DELETED FILES, SEE WHAT WEB SITES HAVE BEEN DISPLAYED AND FIND E-MAIL MESSAGES. DENVER (AP) _ THE NUMBER OF INCIDENTS INVOLVING NURSES AND OTHER MEDICAL PROFESSIONALS STEALING DRUGS MEANT FOR PATIENTS IS GROWING -- DESPITE TECHNOLOGY IN NARCOTICS DISPENSERS THAT MAKES THAT INCREASINGLY DIFFICULT. STATE OFFICIALS SAYS THERE WERE 76 CASES OF ``DIVERTED DRUGS'' IN COLORADO'S HOSPITALS THIS FISCAL YEAR -- ALMOST TRIPLE THE 26 reported in FISCAL YEAR 2001.

16 Regional Forensic Labs

http://www.rcfl.gov/

http://www.rmrcfl.org/

RCFL Statistics - 2012

http://www.ic3.gov/default.aspx

Famous Cases with Forensic Links Enron BTK Serial Killer Chandra Levy Wikileaks Times Square bomber Dr. Conrad Murray (Michael Jackson’s

physician) . . .

Laws and Statues Coverage

Computer forensics deals with laws: Regarding Computer Crime Regarding Collection of Digital Evidence Regarding Handling of Digital Evidence Regarding Disposition & Analysis of

Digital Evidence Regarding Privacy

And many of these laws are “dynamic”

Computer Basics

Hardware Hard Drive Removable Drives (“thumb drives”) RAM Networking (minimal classroom coverage)

Software Operating Systems (DOS/Windows/UNIX) File Systems (FAT32/NTFS/EXT3) Applications (MS Word, Adobe, Outlook, …)

Computer Forensic Methods

Active Data Data intentionally remaining on the

computer Data hidden in plain sight

Latent Data Data unintentionally remaining on the

computer Data recoverable by forensic methods

“Live” vs. “Dead” (aka “static”) analysis

Forensic Tools - WinHex

Forensic Tools – Directory Snoop

Forensic Tools – Shadow Explorer

Forensic Tools – Partition Manager

Forensic Tools – FTK Imager

BACS 371 Will Not Cover

Network Forensics File Systems other than FAT/NTFS

E.g.: no Mac, Solaris, DVD, CD, … Malware

E.g.: Viruses, Trojan Horses, Spyware, … Mobile Devices Prevention Advanced Data Hiding

Breaking Password Protection Encrypted Files Steganography

Certification Agency Notes Website

CCE – Certified Computer Examiner

ISFCE – International Society of Forensic Computer Examiners

Pass online exam and hands-on test

http://www.certified-computer-examiner.com/

CFCE – Certified Forensic Computer Examiner

IACIS – International Association of Computer Investigation Specialists

Must be sworn law enforcement officer or govt employee

GIAC - Global Information Assurance Certification

GCFA – GIAC Certified Forensic Analyst

SANS Institute http://www.sans.org/

CCCI, CCFT – Certified Computer Crime Investigator, Certified Computer Forensic Technician

HTCN – High Tech Crime Network

http://www.htcn.org/

Tool Specific Certifications

OSU – Oregon State University

EnCase

As part of the NTI Training Class

Computer Forensics Certifications

Careers in Computer Forensics Law Enforcement Criminal Investigation Corporate Computer Security DoD/Military/Government Information Technology Consulting Firms Expert Witness

Computer Forensics Job Trends*

* As of January 2015

Computer Forensics Salary Average*

* As of January 2015

Characteristics of a Good Cyber Investigator1

Excellent observation skills Good memory Organization skills Documentation skills Objectivity Knowledge Ability to think like a criminal Intellectually controlled constructive imagination Curiosity Stamina Patience Love of learning

1Scene of the Cybercrime, Shinder & Tittel, p.136

Plus1…

A basic knowledge of computer science An understanding of computer networking

protocols Knowledge of computer jargon An understanding of hacker culture Knowledge of computer and networking

security issues Knowledge of computer file systems (FAT,

FAT32, NTFS, Ext2, etc)

1Scene of the Cybercrime, Shinder & Tittel, p.136

The Perfect Forensics Candidate1

Strong Computer Skills Investigative Background Understanding of state and federal

statutes relating to the collection and preservation of evidentiary data

Understanding of criminal statues High ethical and moral standards

1The Perfect Forensics Candidate, Computerworld, January 14, 2002, http://www.computerworld/com/printthis/2002/0,4814,67228,00.html

BACS 371

SO, are you ready to get started!