Lejot OpenSource Tecnology - Computer Forensics

Lejot OpenSource Tecnology
-What is forensic science ?
Forensic science is defined as scientific tests or techniques
What is it used for ?
Used in connection with the detection of crime.
-What is computer forensics ?
Computer forensics is the use of investigation and analysis techniques, in order to gather and preserve evidence from a particular computing device.
Its use in crime investigation.
If a crime is committed and a warrant is granted to search a computer device, the information found through computer forensics could be used as evidence in court.
Relatively young.
Computer forensics is generally quite young, it used to be considered as just forensics until computing devices and the internet became more common and cyber crime started to occur.
-Types of investigations.
This slide lists various crimes and situations in which computer forensics would be used:
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Matrimonial issues
Bankruptcy investigations
Inappropriate email and internet use in the work place
Regulatory compliance
Here are a few main steps in which a computer forensic investigation would follow.
Legal Process + Identification
The legal process would, for example, involve obtaining a warrant through the court to be able to search a device. The identification step happens alongside this, as a warrant has to be very specific in which equipment can be searched and even what type of data can be accessed
Extraction
The extraction stage consists of actually obtaining the needed evidence from the device in question.
Interpretation + Presentation
The obtained data from the targeted device must now be examined ready for presentation in a court of law or to a client.
Give a professional opinion
The evidence and presentation must be of a professional nature and un-biased as it would normally be used in a court of law.
Here are some main points that must be taken into account when conducting a computer forensics case and to make sure it can be used as valid evidence.
No action should change data obtained.
No action should change the data obtained from the targeted device and this information should be preserved to be used as evidence.
Investigator must be competent.
The investigator in charge of the computer forensics case must be of a competent level to be able to give evidence from the investigation.
A diary of actions taken should be recorded for inspection.
A diary of actions taken during the investigation should be recorded and preserved so it can be inspected by peers to make sure it is legitimate data being used in the case.
A computer forensics cases duration can depend on many alternating factors. Some of those factors can include.
The expertise of the staff.
The expertise of the staff conducting the investigation.
The number of computers.
The number of computers and devices under investigation.
The amount of storage.
The amount of storage.
Counter measures.
And suspects in a case can sometimes take counter measures to try and stop data being retrieved from a device.
There are many factors that mean computer forensics is progressing and evolving very quickly, this can be down to a few things including.
Encryption.
Encryption. It has been going on long before modern computers and is used to secure files and data. There are many new methods of encryption being created and cracked quite frequently which leads to many ongoing developments in the computer forensic world.
Increase in storage space.
The amount of methods and space available for someone to store data is ever increasing. This means that the time needed for computer forensics is also increasing.
Anti-Forensics.
Anti-computer forensics is a general term for a set of techniques used as countermeasures to forensic analysis. This means new measures are needed to get around these techniques.
La metodogia :
Lejot OpenSource Tecnology and Global Cyber Defence di Fabio Carletti
-What is forensic science ?
Forensic science is defined as scientific tests or techniques
What is it used for ?
Used in connection with the detection of crime.
-What is computer forensics ?
Computer forensics is the use of investigation and analysis techniques, in order to gather and preserve evidence from a particular computing device.
Its use in crime investigation.
If a crime is committed and a warrant is granted to search a computer device, the information found through computer forensics could be used as evidence in court.
Relatively young.
Computer forensics is generally quite young, it used to be considered as just forensics until computing devices and the internet became more common and cyber crime started to occur.
-Types of investigations.
This slide lists various crimes and situations in which computer forensics would be used:
Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Forgeries
Matrimonial issues
Bankruptcy investigations
Inappropriate email and internet use in the work place
Regulatory compliance
Here are a few main steps in which a computer forensic investigation would follow.
Legal Process + Identification
The legal process would, for example, involve obtaining a warrant through the court to be able to search a device. The identification step happens alongside this, as a warrant has to be very specific in which equipment can be searched and even what type of data can be accessed
Extraction
The extraction stage consists of actually obtaining the needed evidence from the device in question.
Interpretation + Presentation
The obtained data from the targeted device must now be examined ready for presentation in a court of law or to a client.
Give a professional opinion
The evidence and presentation must be of a professional nature and un-biased as it would normally be used in a court of law.
Here are some main points that must be taken into account when conducting a computer forensics case and to make sure it can be used as valid evidence.
No action should change data obtained.
No action should change the data obtained from the targeted device and this information should be preserved to be used as evidence.
Investigator must be competent.
The investigator in charge of the computer forensics case must be of a competent level to be able to give evidence from the investigation.
A diary of actions taken should be recorded for inspection.
A diary of actions taken during the investigation should be recorded and preserved so it can be inspected by peers to make sure it is legitimate data being used in the case.
A computer forensics cases duration can depend on many alternating factors. Some of those factors can include.
The expertise of the staff.
The expertise of the staff conducting the investigation.
The number of computers.
The number of computers and devices under investigation.
The amount of storage.
The amount of storage.
Counter measures.
And suspects in a case can sometimes take counter measures to try and stop data being retrieved from a device.
There are many factors that mean computer forensics is progressing and evolving very quickly, this can be down to a few things including.
Encryption.
Encryption. It has been going on long before modern computers and is used to secure files and data. There are many new methods of encryption being created and cracked quite frequently which leads to many ongoing developments in the computer forensic world.
Increase in storage space.
The amount of methods and space available for someone to store data is ever increasing. This means that the time needed for computer forensics is also increasing.
Anti-Forensics.
Anti-computer forensics is a general term for a set of techniques used as countermeasures to forensic analysis. This means new measures are needed to get around these techniques.
La metodogia :
- Valutazione iniziale: analisi della scena del crimine e degli strumenti tecnologici che saranno oggetto di studio
- Preparazione di un profilo investigativo: scelta dei passi operativi necessari allo svolgimento del caso
- Determinazione delle risorse necessarie (hardware, software)
- Reperimento delle prove
- Copia della prova
- Minimizzazione del rischio e predisposizione di una catena di custodia
- Analisi e recupero della prova digitale
- Stesura del report finale
Lejot OpenSource Tecnology and Global Cyber Defence di Fabio Carletti