Académique Documents
Professionnel Documents
Culture Documents
Computer Fraud
2
© 2010 Property of JurInnov Ltd. All Rights Reserved
Presentation Overview
3
© 2010 Property of JurInnov Ltd. All Rights Reserved
What is Computer Forensics?
Computer Forensics is a scientific, systematic
inspection of the computer system and its contents
utilizing specialized techniques and tools for
recovery, authentication, and analysis of electronic
data. It is customarily used when a case involves issues
relating to reconstruction of computer usage, examination
of residual data, authentication of data by technical
analysis or explanation of technical features of data and
computer usage. Computer Forensics requires specialized
expertise that goes beyond normal data collection and
preservation techniques available to end-users or system
support personnel.
4
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of “ESI”
• E-mail
• Office Files
• Database
• Ephemeral
• Legacy Systems
• Metadata
5
© 2010 Property of JurInnov Ltd. All Rights Reserved
Sources of “ESI”
• Desktops • E-Mail
• Laptops • Archives
• CDs/DVDs • Cell Phones/PDAs
• Network Attached
• Thumb Drives
Storage Devices (NAS)
• Storage Area Networks • Memory Cards
(SAN) • External Storage Devices
• Servers • Cameras
• Databases • Printers
• Backup Tapes • GPS Devices
7
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of Computer Fraud
8
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of Computer Fraud
9
© 2010 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
• Hardware
– Processor
– Memory (RAM)
– Hard Drive
– CD/DVD Drive
– Motherboard
– Mouse/Keyboard
• Software
– Operating System
– Applications
10
© 2010 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
11
© 2010 Property of JurInnov Ltd. All Rights Reserved
12
© 2010 Property of JurInnov Ltd. All Rights Reserved
13
© 2010 Property of JurInnov Ltd. All Rights Reserved
14
© 2010 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”
• Forensic Harvesting
– What is a forensic copy?
15
© 2010 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”
16
© 2010 Property of JurInnov Ltd. All Rights Reserved
17
© 2010 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”
• Network Harvest
• E-Mail Harvest
• Cell Phone / Device Seizure
18
© 2010 Property of JurInnov Ltd. All Rights Reserved
Computer Forensics Process
• Interview Process/Needs Analysis
• Maintaining Chain of Custody
• Photograph Evidence
• Record Evidence Information (users, S/Ns, etc.)
• BIOS/CMOS Time
• Utilize Sanitized (“Wiped”) Drives
• Write Blocker
• On-Site Acquisition
• Forensic Lab Acquisition
19
© 2010 Property of JurInnov Ltd. All Rights Reserved
Acquisition (Data Harvest)
• Software Tools
– EnCase (Guidance Software)
– Forensic Tool Kit (AccessData)
– Device Seizure (Paraben)
– Network Email Examiner (Paraben)
• Hardware Tools
– Write Blockers (Tableau)
– Talon (Logicube)
– Cell-Dek (Logicube)
20
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of Data Acquisitions
• Image Types
– EnCase Image (.E01)
– DD Image (Linux)
– Custom Content Image (.AD1)
• ESI Locations
– Hard Drives
– Network Shares/Department Shares/Public Shares
– Server E-Mail
– Server Acquisition (On/Off)
– Cell Phone/PDA
– Thumb Drive/External Media
21
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations
• Transfer Speeds
– USB
– FireWire
– IDE
– SATA/eSATA
• Image Verification - MD5 Hash Values
• Work Copies
• Inventory Management
22
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations
• Presentation Suspect Images
• Description: Physical Disk, 39102336 Sectors, 18.6GB
• Physical Size: 512
• Starting Extent: 1S0
• Name: Presentation Suspect Images
• Actual Date: 03/24/09 03:17:21PM
• Target Date: 03/24/09 03:17:21PM
• File Path: E:\Presentation image.E01
• Case Number: Presentation Drive
• Evidence Number: Presentation Suspect Images
• Examiner Name: Stephen W. St.Pierre
• Drive Type: Fixed
• File Integrity: Completely Verified, 0 Errors
• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1
• Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1
• GUID: 04d345276275524c8a111824be6eb170
• EnCase Version: 5.05j
• System Version: Windows 2003 Server
• Total Size: 20,020,396,032 bytes (18.6GB)
• Total Sectors: 39,102,336
23
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations
• Creating Work copy of original Backup Image
– Evidence Mover Log:
03/25/09 16:20:14 - Source file: F:\Evidence\Presentation image.E01
Destination file: G:\Evidence\Presentation image.E01.
Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678
24
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations
• Windows Encryption
– Encrypted File System (XP)
– BitLocker (Vista & Windows 7)
• Other Hardware or Software Encryption
– Laptop hard drives
– e.g., Truecrypt
25
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Indexing
• Key Word Searching
• Filters
– AND/OR/NOT
– Date Range
– Specific File Types
26
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Deletion
– Deleted Documents
– Recycle Bin (Deleted Dates/Info 2)
– Data Carving
– Unallocated Space
– Hard Drive Wiping
• Signature Analysis: File Extension vs. File
Signature
27
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Analysis Examples …
28
© 2010 Property of JurInnov Ltd. All Rights Reserved
Registry Overview
29
© 2010 Property of JurInnov Ltd. All Rights Reserved
Registry – Software
30
© 2010 Property of JurInnov Ltd. All Rights Reserved
Registry – System
• Mounted Devices
• Computer Name
• USB Plugged-In Devices (USBSTOR)
• Last System SHUT DOWN Time
• Time Zone
31
© 2010 Property of JurInnov Ltd. All Rights Reserved
Registry – SAM & NTUSER.DAT
• SAM
– Local Accounts
• NTUSER.DAT
– Network Assigned Drive Letters
– Typed URLs (websites)
– Last Clean Shutdown Date/Time
– Username and Passwords
– Recent Documents
• Registry examples …
32
© 2010 Property of JurInnov Ltd. All Rights Reserved
Unallocated Space Analysis
• File Slack
33
© 2010 Property of JurInnov Ltd. All Rights Reserved
Data Transfer Analysis
• FTP
• E-Mail
• External Drives
• Link Files (external/server)
• Internet History
• Webmail
• Created/Accessed/Modified Dates
34
© 2010 Property of JurInnov Ltd. All Rights Reserved
Evidence/Analysis Reporting
35
© 2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Analyst
36
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics
Are Useful…
• Financial
– Receivership
– Bankruptcy
• General Litigation
– Commercial Litigation
– Product Liability
• Corporate
– Regulatory (SEC, Second Requests, FTC)
– Mergers/Acquisitions
37
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics
Are Useful, cont.
• Intellectual Property
– Theft of Intellectual Property
– Temporary Restraining Order (TRO)
– Permanent Injunction
38
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics
Are Useful, cont.
• Labor/Employment
– Violation of Non-Compete Agreements
– Sexual Harassment
– Age Discrimination
– Fraud/Embezzlement
– Other Violations of Company Policy
39
© 2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics
Are Useful, cont.
• Domestic Relations
– Divorce
– Custody
• Corporate Criminal
– Other Criminal
40
© 2010 Property of JurInnov Ltd. All Rights Reserved
For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: tim.opsitnick@jurinnov.com
john.liptak@jurinnov.com
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115
41
© 2010 Property of JurInnov Ltd. All Rights Reserved