COEN 252 Computer Forensics

Introduction to Computer Forensics

Thomas Schwarz, S.J. 2009

Computer Forensics

Digital Investigation Focuses on a digital device

Computer Router Switch Cell-phone SIM-card …

Computer Forensics Digital Investigation

Focuses on a digital device involved in an incident or crime

Computer intrusion Generic criminal activity

Perpetrator uses internet to gather information used in the perpetration of a crime.

Digital device is an instrument of a crime Perpetrator uses cell-phone to set-off a bomb.

Details are sensitive to natural security. If you get clearance, I can tell you who to ask.

Email scams Internet auction fraud Computer is used for intrusion of another system.

Computer Forensics Digital Investigation

Has different goals Prevention of further intrusions.

Goal is to reconstruct modus operandi of intruder to prevent further intrusions.

Assessment of damage. Goal is to certify system for safe use.

Reconstruction of an incident. For criminal proceedings. For organization-internal proceedings.

Computer Forensics

Digital Investigation Process where we develop and test

hypotheses that answer questions about digital events.

We can use an adaptation of the scientific method where we establish hypotheses based on findings and then (if possible) test our hypotheses against findings resulting from additional investigations.

Computer Forensics Evidence

Procedural notion That on what our findings are based.

Legal notion Defined by the “rules of evidence”

Differ by legislation “Hear-say” is procedurally evidence,

but excluded (under many circumstances) as legal evidence.

Computer Forensics

Forensics Used in the “forum”, especially for

judicial proceedings. Definition: legal

Computer Forensics

Digital Crime Scene Investigation Process System Preservation Phase Evidence Searching Phase Event Reconstruction Phase

Note: These phases are different activities that

intermingle.

Computer Forensics Who should know about Computer

Forensics Those involved in legal proceedings that

might use digital evidence Judges, Prosecutors, Attorneys, Law Enforcement,

Expert Witnesses Those involved in Systems Administration

Systems Administrators, Network Administrators, Security Officers

Those writing procedures Managers

Computer Forensics Computer Forensics presupposes skills in

Ethics Law, especially rules of evidence System and network administration

Digital data presentation Number and character representation

Systems OS, especially file systems. Hardware, especially disk drives, memory systems,

computer architecture, … Networking

Network protocols, Intrusion detection, … Information Systems Management

COEN 252Prerequisites Required:

Good moral character. Ability and willingness to respect ethical boundaries.

Familiarity with at least one type of operating system. (Windows, Unix/Linux, DOS experience preferred.)

Some programming. Access to a computer with Hex editor.

Desired: Familiarity with OS Theory. Familiarity with Networking. Some Knowledge of U.S. Legal System.

COEN 252Text Books

SKOUDIS, E., Zeltser, L.: Malware: Fighting Malicious Code.. Prentice Hall Professional Technical Reference. 2004. Second edition about to appear.

MANDIA, K., PROSISE, C., PEPE, M. Incident Response & Computer Forensics. 2nd edition. Osbourne-McGraw Hill, 2003.

COEN 252Grading Written Final (20%) (No collaboration.) Practical Final (35%, due day of the final) (No

collaboration.) Ethics Case (5%, due day of the final) (No

collaboration.) Laboratories & Homeworks (30%) (Limited

collaboration.) Class Project (10%) Groups.

This class is subject to the School of Engineering's Honor code.

Disability Accommodation Policy: To request academic accommodations for a disability, students must contact Disability Resources located in the Drahmann Center in Benson, Room 214 (Tel.: 554-4111, TTY 554-5445). Students must provide documentation of a disability to Disability Resources prior to receiving accommodations.

You should take the PERL courses offered by the Sun Academic Alliance. You can find instructions at ~tschwarz/ Homepage/ SunAcademicAllianceInstructions.html