docWhat is Computer Forensics?
download 
Report Transcription
What is Computer Forensics?
Electronic Evidence & Computer Forensics 1 Today 9 Background 9 Computer Forensics 9 Case Examples 9 Phones/PDAs/iPods/GPS 9 Dos and Don’ts 9 Extra Credit… 2 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics What is Computer Forensics? Computer Forensics is the application of the law to computer science. It is the use of scientific and analytical techniques to computer data structures in determining the potential for evidence. Or simply put: Analyzing electronic data devices for evidence 3 Computer Forensics Challenge The challenges are: 9 Recognizing and accessing data sources 9 Collecting and preserving the evidence 9 Presenting/explaining the evidence in a manner acceptable / understandable. 4 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Deleted Data Hard drive technology – data storage 9What are deleted files? 9What about formatting? 9Can you tell if deletions have taken place? 5 Paper vs Electronic Plaintiff claimed Word documents he saved to a floppy disk in 1997 proved his application for other positions in company. Analysis showed documents were created using Word 2000 (registered to Plaintiff’s wife) one month prior to disclosure. 6 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Metadata is often described as “data about data.” But what does this mean? 7 There are two components to any computer generated document/file: 1) the content of the document; 2) the layer of information about the data. This is metadata. 8 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics 9Metadata may include a file’s name, size and creation/deletion date. 9It may also include the source of the data, its author, time it took to create, whether others have viewed it, printed it and so on. 9Allows compilation of critical timelines 9 TimelineExternal drive is attached to laptop. System rebooted by user. WipeInfo is executed from external drive. WipeInfo process is ended and system is shutdown at approx. 11:06 am. Laptop signed for by messenger at 11:07 am. Receipt signed by plaintiff. Messenger had arrived at approx. 10:45 am. We were charged $11.00 for messenger’s delay. 10 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics TimelineAnalysis produced evidence of: Satellite television signal descrambling Pirated software and decryption software Child pornography Plaintiffs sanctioned for spoliation 11 12 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Analysis 9 Deleted emails and attachments 9 Ebay sales and purchases 9 50” plasma “monitors” 9 False identities 9 Irish Bank accounts 9 $1.6 million over a period of months 13 Outcome Guilty Plea #1 9 9 9 9 57 Months 20 Year probation Additional 60 months if violated $1.6 Million restitution Jury Trial #2 9 Guilty of all eight felony charges 9 60 Months 14 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Family Business Embezzlement (and Explosion) Former United States Congressman Working for Family Business Suspicion of embezzling to support: Vegas Girlfriend(s) Suspicious Explosion Call from BATF and Insurance Company Investigator 1 16 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics 17 18 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics 19 Very Smart Devices… 20 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Complete Call History 20 Active and deleted emails 21 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics To From 28 Deleted Text/SMS Messages and attached files 23 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Web History 24 Active and deleted voicemails! 25 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Not just photos… 27 Deleted Photos… 32 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics And One More Thing….. 29 Most Important! 9 Do not turn on or plug in any devices Alteration of date/time stamps Inadvertent spoliation 9 Cell phone/PDAsFaraday Bags Arson Cans Aluminum foil 30 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Extra Credit 9 How to securely delete sensitive data… 31 37 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics 38 39 Mark Lanterman Computer Forensic Services Electronic Evidence & Computer Forensics Matt Willis Computer Forensic Services 601 Carlson Parkway Suite 630 Minnetonka, MN 55305 952.924.9920 [email protected] www.compforensics.com 35 Mark Lanterman Computer Forensic Services
