CIS 410 Chapter 14: Introduction to Forensics Complete Graded A+

Forensics the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts (forensics means to bring to the court) goal of cyber forensics to examine computer devices using scientific methods to extract evidence in such a way that it can be presented in a court Don't touch the suspect drive touch the system as little as possible, you don't want to make changes to the system in the process of examining it make a forensically valid copy of the drive use bootable linux copy, use syntax to copy the information from a specific port to the forensics server Forensic ToolKit made by AccessData, an expensive commercial product used to make images of drives to mount images that have been made, allows you to recover deleted files, examine registry settings, and perform forensic examination tasks Document Trail document everything, when you begin the investigation, you must document every step Secure the evidence the computer must be taken offline to prevent further tampering, limit access to the machine, hard drive should be locked in a safe/ secure cabinet, analysis should be done in a room with limited access, must be able to document who had access to the evidence (chain of custody) chain of custody detailed documentation showing the status of evidence at every point in time from the moment of seizure to the moment the evidence is present in court FBI Forensic Guidelines preserve the state of the computer by making back up logs, and copies of any files left by the intruder, document specific losses suffered due to the attack computer evidence logs, portable storage devices, emails, devices capable of storing data, cell phones U.S. Secret Service forensics guide secure the scene and make it safe, preserve evidence, avoid accessing computer files, etc. EU Evidence Gathering (5 Principles) Data Integrity, Audit Trail, Specialist Support, Appropriate Training, Legality SWGDE Scientific Working Group on Digital Evidence, 4 steps of examination, 1. visual inspection, 2. forensic duplication, 3. media examination, 4. evidence return Locard's principles of transference you cannot interact in any environment without leaving something behind EnCase tool made by guidance software. allows you to image drives, recover deleted files, examine the registry, etc. competitor with FTK, used by law enforcement OS Forensics tool used to recover deleted files, examine the registry, and search the drive, low cost and easy to use Sleuth Kit suite of open source tools, each tool can require you to learn a set of command line commands to execute Oxygen specifically for phone forensics, analyzes iPhones and androids, doesn't work well with older androids Cellebrite one of the most popular phone forensic tools, very effective , only downside that it one of the most expensive phone forensics tools available Finding Evidence in the browser can contain evidence of the specific crime, could find evidence in the case of cyber stalking, if a person erases their history, it is still possible to retrieve it security log contains successful and unsuccessful log in attempts application log contains events logged by applications or programs system log contains events logged by windows systems components forwarded events log used to store events collected from remote computers applications and services log used to store events from a single application or component DiskDigger free tool used to recover Windows files Net Sessions command that lists any active sessions connected to the computer you run on it open files command for finding live attacks ongoing, will list any shared files that are currently open Fc command you can use with a forensic copy of a machine, it compares two files and shows the difference Netstat command used to detect ongoing attacks, lists all current network connections- both inbound and outbound the windows registry central database used in microsoft windows family of operating systems to store information necessary to configure the system for one of more users, applications and hardware devices hive five sections that the windows registry is organized into SIM subscriber identity module, heart of the phone, how you identify the phone, a removable chip, IMIS international mobile security subscriber identity, 15-digit number used to uniquely identify a phone, if you can the phone, you change the phone's identity ICCID Integrated circuit card identification, used to identify the phone, the SIM chip itself is identified by the ICCID GSM Global System for Mobile Communications, older technology (2G) , was originally developed for digital voice but was expanded to include data EDGE Enhanced Data Rates for GSM Revolution, level between 2G and 3G, designed to deliver media, such as television over the cellular network UMTS Universal Mobile Telecommunications Systems, 3G upgrade to 2G, provides text, voice, video, and multimedia at data rates higher than 2 megabits per second LTE Long term evolution, (4G), provides broadband internet, multimedia, and voice, supports speeds of 300 megabits per second, based in IP just like a computer network iDEN integrated digitally enhanced network, GSM-based architecture that combines cell phone, two-way radio, pager, and modem into the same network, devised by motorola iOS released for the iPhone in 2007, for macintosh, based on a touch interface, divided into 4 layers Android operating system based on linux, open source, first released in 2003 Federal Rule 702 a witness who is qualified as an expert by knowledge, skill, training, or education may testify in the form of an opinion if: the knowledge will help to understand the evidence, testimony is based on facts, testimony is the product of reliable principles, and the expert has reliably applied the principles and methods to the facts of the case Daubert standard used in the U.S. federal courts to determine whether or not an expert's scientific testimony is based on reasoning or methodology that is scientifically valid and can properly be applied to the facts at issue