computer forensics introduction - jurinnov - eric vanderburg

Computer Forensics Introduction

Eric A. VanderburgDirector, Cyber Security, Information Systems and

Computer Forensic and Investigation Services

© 2007 Property of JurInnov Ltd. All Rights Reserved

“…most of our [investment] banking clients are going to zero and you know I wanted to downgrade them months ago but got huge pushback from banking.”

— E-mail by ex-Salomon Smith Barney analyst Jack Grubman

Business Week, October 14, 2002

Electronic Evidence — What is the Big Deal?


What is the Big Deal?“We are going to cut off their air supply. Everything they are selling, we are going to give away for free.”

— Microsoft vice president Paul Maritz describing in an e-mail how he planned to crush any competition from Netscape

CNN reporter Dave Wilson, May 3, 2002www.cnn.com/2002/TECH/industry/05/03/microsoft.antitrust.email


What is the Big Deal? “Do we have a clear plan on what we want Apple to do to undermine Sun?”

— from a Bill Gates e-mail to Paul Maritz dated 8/18/77

United States v. Microsoft – Trial Transcript


What is the Big Deal? “Do I have to look forward to spending my waning years writing checks to fat people worried about a silly lung problem?”

— Email message inAmerican Home ProductsFen-Phen litigation


What is Computer Forensics?• Computer Forensics involves the

preservation, identification, extraction, documentation and interpretation of computer data– Kruse and Heiser, 2002


What is Computer Forensics?• Computers provide evidence of every key

stroke made, every Internet page visited, every picture downloaded and every print job sent to a printer

• A deleted file will, in many cases, still exist long after it has been deleted

• A computer forensic examiner assists an attorney by recovering data from computers and analyzing it to provide evidence of relevant personal and business records and information


Why Forensics Technicians?• Data must be gathered using a

defensible process includingappropriate tools and techniques

• Evidence validation/Hashing• Deleted/Unallocated/Slack material:

more valuable than active files?• Analyze potential evidence and

suggest ways to find other relevantfacts and provide insights

• Independent reporting and testimony• Data that is authenticated is generally

more useful evidence


Forensics Investigations Steps• Image media• Index or not• Develop search terms• Analysis• Search data• Provide evidence and reports• Chain of custody considerations


Types of Evidence• Internet pages visited

and how often• Pictures downloaded• Print images• Emails• Files deleted• Links to files that once

existed• Registry• Records of when

operating systemwas installed

• Application Log Files• List of installed

programs• Cell phones• PDA’s• Digital copiers• Pagers


Forensic Tools and Issues• Software tools (Encase, FTK, Paraben,

open source, freeware) • Equipment• Write blockers• Encryption• Password cracking• Recovery of deleted

data• Server considerations


Other Forensic Considerations• Limit keyword searching as much

as practicable• Cost• Keep in mind client budgets and

utilize sampling where appropriate• Consider the type of case and areas

to search• Consider presentation of evidence


Case Studies• Financial fraud• Theft of Intellectual Property• Spoliation• Discrimination• Sexual harassment• Complying with discovery

obligations in litigation• Criminal


• Slack• Deleted Files

• Bit Stream Backup• Mathematical

Hashing• Files• Sectors• Clusters• Swap File

Forensic Exhibits

Hello Alice,Thank you for

your mail!Bob

36 AE 0D 33 16 40 08 5B 47 1D F1 50 86 12 49 CC

Hello Alice,Thank you for

your mail!Bob

BE 47 71 B2 B4 43 C9 DC 34 13 64 84 AF A3 FC 7A

MD5 Hash MD5 Hash

Click a box above once to fade in graphic, click same box again to fade it out.

Questions


For assistance or additional information

• Phone: 216-664-1100• Web: www.jurinnov.com• Email: [email protected]

JurInnov Ltd.The Idea Center

1375 Euclid Avenue, Suite 400Cleveland, Ohio 44115

computer forensics introduction - jurinnov - eric vanderburg

Technology