presentation_3036_27229.ppt 3006KB Jun 23 2011 12:33:30 PM

(1)

LUDWIG SLUSKY

CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A. LSLUSKY@EXCHANGE.CALSTATELA.EDU

PARVIZ PARTOW-NAVID

CALIFORNIA STATE UNIVERSITY, LOS ANGELES, U.S.A. PPARTOW@EXCHANGE.CALSTATELA.EDU

Development of Computer

Forensics Course Using EnCase

1

E-LEARN 2009

World Conference on E-Learning in Corporate, Government, Healthcare & Higher Education

Vancouver, Canada: October 26-30, 2009 Best Practices Session

(2)

Forensic Sciences

10/27/2009 11:55am

E-Learn 2009. Ludwig Slusky and Parviz

Partow-2

Originated in Medicine

Expanded … Arson, Chemistry, … and Digital Evidence.

Forensic Sciences is “a broad spectrum of sciences to

answer questions of interest to a legal system.” (Wikipedia)

Computer Forensics

- use of analytical and investigative techniques …

 to identify, collect, examine and preserve information …  magnetically stored or encoded …

 to provide digital evidence of a specific or general activity.”

(3)

Investigation of Computer Attacks

3

Investigations of computer attacks, hacker intrusion,

fraud and abuses:

 Salami attack  Data Diddling

Excessive (elevation of) privileges

Password sniffing on a network

_{IP spoofing}

Eavesdropping

 Emanation

 Wiretapping

(4)

Recovery of Computer Information

10/27/2009 11:55am

Partow-4

International principles

 Recognition of evidence

 Handling in various courts consistently in the same manner.

The common evidence for such investigation include:

 Violations of Information Security

 Penetration of Computer Access Control  Breaching Information Accountability  Penetration of Network Security

 Cryptanalysis

 Penetration of Operational Security of Computer Systems  Penetration of Application and Database Security

 Hacking

(5)

Preventing Recovery - Crashed Hard Disks

5

(6)

Hard Disk Destruction

10/27/2009 11:55am

Partow-6

Sensitive information on a hard disk requires

decommissioning.

After being crushed by the Hard Disk Crusher, the data can never be recovered again. It drills through the hard disk's spindles and physically creates ripples in the platters making it

impossible to recover the data.

Reformat ting a disk or using a degausser are other options, albeit could be less reliable.

http://edrsolutions.com/solution.asp

(7)

Forensic Investigation Process

Computer forensics

software collects data into evidence files

(8)

Remote Forensic Investigation

10/27/2009 11:55am

Partow-8

Forensic investigation

 Traditional – physical access to a target machine

 Remote – across network access - new technique

 Target machine can be located anywhere

 Accessible via the Internet or dedicated communication lines

EnCase Enterprise Edition supports remote investigation

(9)

Recommendations for Remote Investigation

9

Keep system resource usage down

Disguise the remote investigative agent software

Make sure that a personal firewalls active on the target

machine is open for inbound connections

Keep Log file free from recoding any forensic activities

Start an agent on the target machine systematically when

the machine starts

Do forensics during the non-business hours or when a

large hard drive activity is expected (e.g., antivirus scans)

Be extra careful targeting laptop for investigation: a

prolong hard drive activity can be suspicious

High-speed network connection is better than slow WAN.

(10)

Covert Collection Avoidance Techniques

10/27/2009 11:55am

Partow-10

Review Task Manager periodically - increased and

persistent hard drive activity at odd times

 Identify and stop the remote agent’s system process

Enable blocking the inbound connection in a personal

firewall (to block the agent’s tool).

_{Be alert to}_{performance degradation}_{noticeable while}

copying a large file over network.

(11)

10/27/2009 11:55am

Partow-12

1. Computer Forensics and Investigation as a Profession

2. Understanding Computing Investigations

3. The Investigator's Office and Laboratory

4. Processing Crime and Incident Scenes

5. Computer Forensics Tools Concepts

6. Computer Forensics Analysis and Validation

7. Acquiring Digital Evidence

8. Searching for and Bookmarking Data

9. File Signature and Hash Analysis

10. Creating Reports for High-Tech Investigations

11. Expert Testimony in High-Tech Investigations

12. Ethics for the Expert Witness Source: Bill Nelson, Amelia Phillips, Frank Enfinger

(13)

Pre-Requisites for Study

13

Students must have senior standing

Pre-requisite courses by majors include:

 Computer Information Systems - information architecture,

common business applications, and organizational context of computer-based information systems.

 Criminal Justice - methodologies and techniques

appropriate for application in criminal justice environments

 Accounting - Accounting Information Systems including

internal controls and tools.

_{Pre-requisite focus - understanding of types of digital}

evidence and how computers work

(14)

Computer Forensic Software: EnCase

10/27/2009 11:55am

Partow-14

_{EnCase® Forensic}_{- makes an image of a hard drive in a}

forensically-prudent EnCase evidence file format  de facto standard application for computer forensics

 Used in the proposed course

_{EnCase® Enterprise}_{– for remote investigation of internal and}

external threats from a central console

_{EnCase Data Audit & Policy Enforcement}_{- search for}

information on the laptops, desktops, file servers, and email servers … from a central location

_{EnCase Cybersecurity}_{- for national information security policy}

(identifying/responding to threats, remediating malware).

EnCase® eDiscovery - a pocket-sized kit to search and collect

electronically stored information across the network.

(15)

(16)

Practicing EnCase Forensic

10/27/2009 11:55am

Partow-16

Hands-on Practicum with EnCase

Understanding of Case Management, EnCase Forensics

software, and evidence file structure

Team project

Depending on major, emphasis on different phases

 Information systems - emphasis on identification, preservation,

and collection of data of various types from various devices.

 Accounting - emphasis on data collection, examination, and

analysis.

 Criminal Justice - emphasis on data analysis, presentation, and

decision.

Computer Forensics case study in the context of a

(17)

Hands-on Practicum with EnCase

17

Viewing FAT Entries

Navigating EnCase

Maintaining Data Integrity

Searching for Data; Bookmarking the Results

_{File Signature Analysis}

Windows Artifacts Recovery

Partition Recovery

_{Email and Registry Examination}

(18)

Forensics Lab vs. Open Access Lab

10/27/2009 11:55am

Partow-18

Dedicated Computer Forensics Lab with support of

technical assistants (desirable, not required)

Online remote dedicated Computer Forensics Lab (goal) Common-use Open Access Labs on campus (sufficient)

 Computers are shared between forensics studies and other

courses and applications that use internal disk drives

 Information Assurance and privacy concerns

 Student can recover any information previously deleted by

another users .

 Prevent access to hard drive as a target of investigation

(19)

Online/Hybrid/In-Class Learning

19

E-Learning of Information Security and preparation for

certification exams (like Certified Information Systems Security

Professional [CISSP®]) is common practice.

 American InterContinental University - Bachelor of Information

Technology (BIT) with a concentration in Computer Forensics.

 Champlain College - BS in Computer and Digital Forensics  Other major online universities

 University of Phoenix, Liberty University, DeVry University's Keller

Graduate School of Management, Strayer University Online. Etc.

A limited demo version of EnCase Forensic is included in

some professional training books

 Works only with the evidence file included on the CD; prevented

from accessing any other media

 Opens two opportunities: practicing EnCase at home and shifting

(20)

Encryption for Online Studies

10/27/2009 11:55am

Partow-20

TrueCrypt ₍_{http://www.truecrypt.org/}₎

 Powerful open-source encryption software  Windows Vista/XP, Mac OS X, and Linux

 Encrypts a partition or the entire storage – hard disk

 Mobile data protection - USB flash drive

 Plausible deniability for a user using a hidden volume

 Presence cannot be easily detected

 Data cannot be distinguished from random residual data

_{Used to secure information transmitted in Online studies} Password/encryption cracking to reveal intentionally

hidden information (with EnCase)

 Student can originate an attack on a computer; typical methods are

(21)

Skills, Tutorials, Teamwork

21

Emphasis on skills using Computer Forensics software

Online instructions for Computer Forensics skills are well

suited

Extensive Online EnCase tutorials to reduce the need for

F2F instructions

Hybrid learning - best option

Teamwork vs. Individual work

 Teamwork in a dedicated Forensic Lab with F2F instructions

 Individual work in e-learning with no dedicated Forensic Lab

(22)

Challenges of Teaching Course Online

10/27/2009 11:55am

Partow-22

Instructional technical challenges

 Responding to students’ creativity

 Inappropriate use of the software by students

Multi-disciplinary audience

Dissemination of controlled knowledge and software

Risks of privacy and information security violations

Risks of instructor’s liability

 Is the target computer permitted for computer investigation?

 Do online participants impersonate a legitimate student?

Compliance with Laws and Regulations

(23)

Development of Computer Forensics Course Using EnCase

23