Divider 2 - Cyber Crime, Digital Evidence Locations, and ... 5-10 Divider 2 - Cyber Crime... · New Crimes, New Techniques ... Microsoft PowerPoint - Divider 2 - Cyber Crime, Digital

Introduction to Cyber Crime, Digital Evidence, and Computer ForensicsTechnology-Assisted Crimes Against Children – May 20-21, 2010Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved 1

Cyber Crime, Cyber Crime, Digital Evidence Locations, Digital Evidence Locations,

and Computer Forensicsand Computer Forensics

Don MasonDon MasonAssociate DirectorAssociate Director

Copyright © 2010 National Center for Justice and the Rule of Law – All Rights Reserved

ObjectivesObjectivesAfter this session, you will be able to:After this session, you will be able to:

Define “cyber crime” Define “cyber crime” Define and describe “digital evidence”Define and describe “digital evidence”Identify devices and locations where digital Identify devices and locations where digital evidence may be foundevidence may be foundDefine basic computer and digital forensicsDefine basic computer and digital forensicsIdentify and describe the basic practices, Identify and describe the basic practices, principles, and tools used in digital principles, and tools used in digital forensicsforensics

Advancing TechnologyAdvancing Technology


Mainframes, Desktops, LaptopsMainframes, Desktops, Laptops

Digital CamerasDigital Cameras

Convergent, “Smart” DevicesConvergent, “Smart” Devices


Always Something New

Roles of Digital DevicesRoles of Digital Devices

TargetsTargets

ToolsTools

ContainersContainers

New Crimes, New TechniquesNew Crimes, New TechniquesComputer as Computer as TargetTarget•• Unauthorized access, damage, theftUnauthorized access, damage, theft•• Spam, viruses, wormsSpam, viruses, worms•• Denial of service attacksDenial of service attacks

Computer asComputer as ToolToolComputer as Computer as ToolTool•• Fraud, ID theftFraud, ID theft•• Threats, harassment, bullyingThreats, harassment, bullying•• Child pornographyChild pornography

Computer asComputer as ContainerContainer•• From drug dealer records to how to From drug dealer records to how to

commit murdercommit murder


“Cyber Crime”“Cyber Crime”“Computer crime”“Computer crime”“Network crime”“Network crime”“Computer“Computer--related crime”related crime”“Computer“Computer--facilitated crime”facilitated crime”pp“High tech crime”“High tech crime”“Internet crime” or “Online crime”“Internet crime” or “Online crime”“Information age crime”“Information age crime”

Any crime in which a computer or other digital device plays a role, and thus involves digital evidence

Digital EvidenceDigital EvidenceInformation of probative value that is Information of probative value that is stored or transmitted in binary form and stored or transmitted in binary form and may be relied upon in courtmay be relied upon in court

Digital EvidenceDigital EvidenceInformation stored in binary code but Information stored in binary code but convertible to, for example:convertible to, for example:–– ee--mail, chat logs, documentsmail, chat logs, documents

photographs (including video)photographs (including video)–– photographs (including video)photographs (including video)–– user shortcuts, filenamesuser shortcuts, filenames–– web activity logsweb activity logs

Easily modified, corrupted, or erasedEasily modified, corrupted, or erasedBut correctly made copies are But correctly made copies are indistinguishable from the originalindistinguishable from the original


How Data Is StoredHow Data Is Stored

TrackTrack

SectorSector

ClustersClusters are groups of sectors

The InternetThe InternetWorld Wide Web (the Web)World Wide Web (the Web)EE--mailmailInstant messaging (IM) Instant messaging (IM) Webcam/ Internet Telephone (VoIP)Webcam/ Internet Telephone (VoIP)PeerPeer--toto--peer (P2P) networkspeer (P2P) networksLegacy SystemsLegacy Systems•• NewsgroupsNewsgroups•• Telnet and File transfer (FTP) sitesTelnet and File transfer (FTP) sites•• Internet Relay Chat (IRC)Internet Relay Chat (IRC)•• Bulletin boardsBulletin boards

Web 2.0

Interactive Internet communitiesSocial networksBlogs“Wikis”Video or photo sharing sitesOnline role-playing gamesVirtual worlds


Computer and Internet UsesComputer and Internet UsesRemote Computing Remote Computing

ResearchResearch

CommerceCommerceCommerceCommerce

RecreationRecreation

CommunicationCommunication

Cloud Computing

GoogleThe Cloud

AmazonYahoo

Cloud ComputingCloud Computing

Basically, obtaining computing resources Basically, obtaining computing resources from someplace outside your own four from someplace outside your own four walls, and paying only for what you usewalls, and paying only for what you use

ProcessingProcessing–– ProcessingProcessing–– StorageStorage–– MessagingMessaging–– DatabasesDatabases–– etc.etc.


Ex: Google Docs

What Kinds of ComputersWhat Kinds of ComputersCan Be on the Internet?Can Be on the Internet?

Mainframes

Personalcomputers

Personaldigital devices

Laptops

Cell Phones

Internet ConnectivityInternet ConnectivityInternet ServiceProvider (ISP)

HomePCs

Telephonedialin line NetworkNetwork

High-speeddata link

Network

Network

DSL line

Cable modemconnection

Network

Network


Internet AddressingInternet AddressingEvery network / host (and each home Every network / host (and each home computer connected to the Internet) has a computer connected to the Internet) has a unique numeric unique numeric Internet protocolInternet protocol (IP) (IP) addressaddress num1 num2 num3 num4num1 num2 num3 num4address address num1.num2.num3.num4num1.num2.num3.num4

e.g., 172.20.53.229e.g., 172.20.53.229

Nearly all hosts and networks also have Nearly all hosts and networks also have corresponding corresponding domain namesdomain names that are that are easier for humans to remember and useeasier for humans to remember and use

e.g., e.g., www.ncjrl.org www.ncjrl.org oror oag.state.gov.usoag.state.gov.us

Why Addressing MattersWhy Addressing MattersThe Internet is a The Internet is a packetpacket--switchedswitched networknetworkThe component parts of a communication The component parts of a communication (i.e., the packets) sent to another host may (i.e., the packets) sent to another host may travel by different pathstravel by different pathstravel by different pathstravel by different pathsEach packet makes one or more “hops” Each packet makes one or more “hops” along the network on the way to its along the network on the way to its destinationdestination

What’s in a Packet?What’s in a Packet?An IP data packet An IP data packet includes includes –– routing information (where it routing information (where it

came from, where it’s came from, where it’s going)going)

172.31.208.99

10.135.6.23g g)g g)–– the data to be transmittedthe data to be transmitted

Replies from the receiving Replies from the receiving host go to the packet’s host go to the packet’s source address source address –– here, 172.31.208.99here, 172.31.208.99

011100101010101110110110001001010100...


Packet SwitchingPacket SwitchingISP.COM, a/k/a172.31.208.99

AGENCY.GOV, a/k/a 10.135.6.23













Why It Matters How Why It Matters How Computers, Networks, Computers, Networks, and the Internet Workand the Internet Work

Immense amount of digital data Immense amount of digital data t d t itt d t dt d t itt d t dcreated, transmitted, storedcreated, transmitted, stored

Some created by humansSome created by humans

A lot necessarily created by machines A lot necessarily created by machines “in the background”“in the background”

Digital EvidenceDigital EvidenceUserUser--createdcreated–– Text (documents, eText (documents, e--mail, chats, IM’s)mail, chats, IM’s)–– Address booksAddress books

BookmarksBookmarks–– BookmarksBookmarks–– DatabasesDatabases–– Images (photos, drawings, diagrams)Images (photos, drawings, diagrams)–– Video and sound filesVideo and sound files–– Web pagesWeb pages–– Service provider account subscriber recordsService provider account subscriber records

ComputerComputer--createdcreated–– Dialing, routing, addressing, signaling infoDialing, routing, addressing, signaling info–– Email headersEmail headers–– MetadataMetadata

Logs logs logsLogs logs logs

Digital EvidenceDigital Evidence

–– Logs, logs, logsLogs, logs, logs–– Browser cache, history, cookiesBrowser cache, history, cookies–– Backup and registry filesBackup and registry files–– Configuration filesConfiguration files–– Printer spool filesPrinter spool files–– Swap files and other “transient” dataSwap files and other “transient” data–– Surveillance tapes, recordingsSurveillance tapes, recordings


Data Generated in 2006Data Generated in 2006161 billion gigabytes 161 billion gigabytes (161 exabytes)(161 exabytes)

12 stacks of books each reaching 12 stacks of books each reaching from the Earth to the Sunfrom the Earth to the Sun3 million times all the books ever 3 million times all the books ever writtenwrittenWould need more than 2 billion Would need more than 2 billion iPods to hold itiPods to hold it

Projections for 2006Projections for 2006--20102010

Six fold annual information growthSix fold annual information growthIn 2010: 988 In 2010: 988 exabytesexabytes to be created to be created and copiedand copied–– More than 73 stacks of books taller than More than 73 stacks of books taller than

93 million miles!93 million miles!Compound annual growth rate: 57%Compound annual growth rate: 57%

Forms of EvidenceForms of EvidenceFilesFiles–– Present / Active Present / Active (doc’s, spreadsheets, images, (doc’s, spreadsheets, images,

email, etc.)email, etc.)–– Archive Archive (including as backups)(including as backups)–– Deleted Deleted (in slack and unallocated space)(in slack and unallocated space)–– TemporaryTemporary (cache, print records, Internet usage(cache, print records, Internet usageTemporary Temporary (cache, print records, Internet usage (cache, print records, Internet usage

records, etc.)records, etc.)–– Encrypted or otherwise hiddenEncrypted or otherwise hidden–– Compressed or corruptedCompressed or corrupted

Fragments of FilesFragments of Files–– ParagraphsParagraphs–– SentencesSentences–– WordsWords


Digital Devices / Digital Devices / Locations Where DigitalLocations Where DigitalLocations Where Digital Locations Where Digital Evidence May be FoundEvidence May be Found

Monitor

PrinterZip Drive Hard

Drive

Monitor

Computer HardwareComputer Hardware

Laptop Computer

Digital Camera

Tape Drive

Disks

Cd-Rom Drive Computer

ChallengesChallengesIncreasing ubiquity Increasing ubiquity and convergence of and convergence of digital devicesdigital devicesI i d tI i d tIncreasing data Increasing data storage capacitystorage capacityShrinking devices Shrinking devices and mediaand mediaGrowing use of solid Growing use of solid state devicesstate devices


Internal DrivesInternal Drives

Removable MediaRemovable Media

USB Storage DevicesUSB Storage Devices


More Digital DevicesMore Digital Devices

And Still MoreAnd Still More

MoreMore


MoreMore

MoreMore

Vehicle “black boxes”Vehicle “black boxes”–– Event data recordersEvent data recorders–– Sensing and diagnostic Sensing and diagnostic

modulesmodulesmodules modules –– Data loggersData loggers


MoreMore

MoreMore

MoreMore


GPS devicesGPS devices

Evidence ContainersEvidence Containers

More ContainersMore Containers


Digital SurveillanceDigital Surveillance

Chicago’s 911 NetworkChicago’s 911 Network

Room in Virtual WorldRoom in Virtual World


Ex: Ex: Second LifeSecond LifeEx: Ex: Second LifeSecond Life

Cell Site Location Data Cell Site Location Data


Computer ForensicsComputer Forensics

Computer ForensicsComputer Forensics“preservation, identification, extraction, “preservation, identification, extraction, documentation, and interpretation of documentation, and interpretation of computer media for evidentiary and/or root computer media for evidentiary and/or root cause analysis”cause analysis”

Usually preUsually pre--defined procedures followed defined procedures followed but flexibility is necessary as the unusual but flexibility is necessary as the unusual will be encounteredwill be encountered

Was largely “postWas largely “post--mortem” but is evolvingmortem” but is evolving

Computer / Digital ForensicsComputer / Digital ForensicsSub branches / activities / stepsSub branches / activities / steps–– Computer forensicsComputer forensics–– Network forensicsNetwork forensics

Li f iLi f i–– Live forensicsLive forensics–– Software forensicsSoftware forensics–– Mobile device forensicsMobile device forensics–– “Browser” forensics“Browser” forensics–– “Triage” forensics“Triage” forensics


SeizingSeizing computer evidenceBagging & tagging

ImagingImaging seized materials

BasicBasic Computer ForensicsComputer Forensics

ImagingImaging seized materials

SearchingSearching the image for evidence

PresentingPresenting digital evidencein court

Myth v. FactMyth v. FactMythMyth–– A computer A computer

forensic analyst forensic analyst can recover any can recover any

FactFact–– The analyst can The analyst can

recover a deleted recover a deleted file, or parts of it, file, or parts of it, yy

file that was file that was ever deleted on ever deleted on a computer a computer since it was since it was built.built.

, p ,, p ,from unallocated from unallocated file space until the file space until the file system writes a file system writes a new file or data new file or data over it.over it.

Myth v. FactMyth v. FactMythMyth–– Metadata Metadata

(“data about (“data about data”) is the all data”) is the all

FactFact–– Metadata does contain Metadata does contain

useful information about a useful information about a file but it is limited.file but it is limited.))

knowing, all knowing, all seeing, end all seeing, end all piece of info on piece of info on a file.a file.

E.g.:E.g.:–– AuthorAuthor–– MAC timesMAC times–– File name, size, locationFile name, size, location–– File propertiesFile properties

MightMight contain revisions, contain revisions, comments, etc.comments, etc.


Metadata Metadata –– Basic ExamplesBasic Examples

Metadata Metadata –– Track ChangesTrack Changes

Metadata Metadata –– CommentsComments


EXIF DataEXIF DataExchangeable Image File FormatEmbeds dataEmbeds data into images containing camera information, date and time, and more

Basic StepsBasic StepsAAcquiringcquiring evidence without evidence without

altering or damaging originalaltering or damaging original

AAuthenticatinguthenticating acquired evidence acquired evidence gg qqby showing it’s identical to data by showing it’s identical to data originally seizedoriginally seized

AAnalyzingnalyzing the evidence without the evidence without modifying itmodifying it

Acquiring the EvidenceAcquiring the EvidenceSeizing the computer: Bag and TagSeizing the computer: Bag and TagHandling computer evidence carefullyHandling computer evidence carefully–– Chain of custodyChain of custody–– Evidence collectionEvidence collection–– Evidence identificationEvidence identificationEvidence identificationEvidence identification–– TransportationTransportation–– StorageStorage

Making at least two images of each evidence Making at least two images of each evidence containercontainer–– Perhaps 3rd in criminal case Perhaps 3rd in criminal case –– for discoveryfor discovery

Documenting, Documenting, DocumentingDocumenting, Documenting, Documenting


Preserving Digital EvidencePreserving Digital EvidenceThe “Forensic Image” or “Duplicate”The “Forensic Image” or “Duplicate”

A virtual “clone” of the entire drive

Every bit & byte “Erased” & reformatted dataData in “slack” & unallocated spaceVirtual memory data

Write Blockers

Hard drives are imaged using hardware write blockers

Authenticating the EvidenceAuthenticating the EvidenceProving that evidence to be analyzed is Proving that evidence to be analyzed is exactly the same as what suspect/party exactly the same as what suspect/party left behindleft behind–– Readable text and pictures don’t Readable text and pictures don’t

i ll t di ll t dmagically appear at randommagically appear at random–– Calculating hash values for the original Calculating hash values for the original

evidence and the images/duplicatesevidence and the images/duplicatesMD5MD5 (Message(Message--Digest algorithm 5)Digest algorithm 5)SHASHA (Secure Hash Algorithm) (Secure Hash Algorithm) ((NSANSA//NISTNIST))


What Is a Hash Value?An MD5 Hash is a 32 character string that looks

like:Acquisition Hash:

3FDSJO90U43JIVJU904FRBEWHVerification Hash:Verification Hash:

3FDSJO90U43JIVJU904FRBEWH

The Chances of two different inputs producing the same MD5 Hash is greater than:

1 in 340 Unidecillion: or 1 in 340,000,000,000,000,000,000,000,000,000,000,000,000

File "F:\Wellesley\WELLESLE.E01" was acquired by Detective Papargiris at 02/21/02 06:40:56PM.The computer system clock read: 02/21/02 06:40:56PM.

Evidence acquired under DOS 7.10 using version 3.19.

File Integrity:Completely Verified, 0 Errors.Acquisition Hash: 88F7BA9EBE833EEDC2AF312DD395BFECVerification Hash: 88F7BA9EBE833EEDC2AF312DD395BFEC

Drive Geometry:Total Size 12.7GB (26,712,000 sectors)Cylinders: 28,266Heads: 15Sectors: 63

Partitions:Code Type Start Sector Total Sectors Size0C FAT32X 0 26700030 12.7GB


Hashing Tools – Examples

http://www.miraclesalad.com/webtools/md5.phphttp://www.fileformat.info/tool/md5sum.htmhtt // l ft /h h l /i d hhttp://www.slavasoft.com/hashcalc/index.htm

Also, AccessData’s FTK Imager can be downloaded free at

http://www.accessdata.com/downloads.html

MD5MD5 HashHash128128--bit (16bit (16--byte) byte) message digest message digest ––

a sequence of 32 charactersa sequence of 32 characters“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog”dog”

9e107d9d372bb6826bd81d3542a419d69e107d9d372bb6826bd81d3542a419d6“The quick brown fox jumps over the lazy “The quick brown fox jumps over the lazy dog.”dog.”

e4d909c290d0fb1ca068ffaddf22cbd0e4d909c290d0fb1ca068ffaddf22cbd0

http://www.miraclesalad.com/webtools/md5.php


What happens when you rename a file?you rename a file?


Or rename the extension?extension?


“Hashing” an Image“Hashing” an Image

MD5MD5021509c96bc7a6a47718950e78e7a371021509c96bc7a6a47718950e78e7a371

SHA177fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a9738677fe03b07c0063cf35dc268b19f5a449e5a97386 77fe03b07c0063cf35dc268b19f5a449e5a97386

MD5ea8450e5e8cf1a1c17c6effccd95b484

SHA101f57f330fb06c16d5872f5c1decdfeb88b69cbc

(single pixel changed using Paint program)

Analyzing the EvidenceAnalyzing the EvidenceWorking on bitWorking on bit--stream images of the stream images of the evidence; never the originalevidence; never the original–– Prevents damaging original evidencePrevents damaging original evidence–– Two backups of the evidenceTwo backups of the evidencepp

One to work onOne to work onOne to copy from if working copy alteredOne to copy from if working copy altered

Analyzing everything Analyzing everything –– Clues may be found in areas or files Clues may be found in areas or files

seemingly unrelatedseemingly unrelated

Popular Automated ToolsPopular Automated Tools

EncaseGuidance Softwarehttp://www.guidancesoftware.com/computer-forensics-

ediscovery-software-digital-evidence.htm

Forensic Tool Kit (FTK)Access Data


Analysis (cont.)Analysis (cont.)Existing FilesExisting Files–– MislabeledMislabeled–– HiddenHidden

Deleted FilesDeleted Files–– Trash BinTrash Bin–– Show up in directory listing with Show up in directory listing with σσ in place in place

of first letterof first letter“taxes.xls” appears as ““taxes.xls” appears as “σσaxes.xls”axes.xls”

Free SpaceFree SpaceSlack SpaceSlack SpaceSwap SpaceSwap Space

Free SpaceFree SpaceCurrently unoccupied, or Currently unoccupied, or “unallocated” space“unallocated” spaceMay have held information beforeMay have held information beforeValuable source of dataValuable source of data–– Files that have been deletedFiles that have been deleted–– Files that have been moved during Files that have been moved during

defragmentationdefragmentation–– Old virtual memoryOld virtual memory

Slack SpaceSlack SpaceSpace not occupied by an active file, but Space not occupied by an active file, but not available for use by the operating not available for use by the operating systemsystemEvery file in a computer fills a minimum Every file in a computer fills a minimum y py pamount of spaceamount of space–– In some old computers, this is one kilobyte, or In some old computers, this is one kilobyte, or

1,024 bytes. In most new computers, this is 32 1,024 bytes. In most new computers, this is 32 kilobytes, or 32,768 byteskilobytes, or 32,768 bytes

–– If you have a file 2,000 bytes long, everything If you have a file 2,000 bytes long, everything after the 2000after the 2000thth byte is slack spacebyte is slack space


File A(In RAM)

File Asaved to disk,

t

File A over-writes Fil B

File A(SavedTo Disk)

How “Slack” Is GeneratedHow “Slack” Is Generated

File A(Now On

Disk)

File B(“Erased,”On Disk)

on top of File

B

File B, creating

slackRemains of File B (Slack)

Slack space: The area between the end of the file and the end of the storage unit

Ways of Trying to Hide DataWays of Trying to Hide Data

Password protection schemes

Encryption

Steganography

Anonymous remailers

Proxy servers

Password ProtectionPassword Protection

Ex: Secrethelper


EncryptionEncryptionEncryptionEncryption

Sometimes used as security measure to prevent others from accessing file data. g– Example: "Pretty Good Privacy“

Scrambles file data so that it is unusable.

begin cindy.jpgM_]C_X``02D9)1@`!`0```0`!``#_VP!#``X*"PT+"0X-#`T0#PX1%B07%A04M%BP@(1HD-"XW-C,N,C(Z05-&.CU./C(R2&))3E9875Y=.$5F;65:;%-;75G_MVP!#`0\0$!83%BH7%RI9.S([65E965E965E965E965E965E965E965E965E9M65E965E965E965E965E965E965E965G_P``1"`#P`,D#`2(``A$!`Q$!_\0`M'P```04!`0$!`0$```````````$"`P0%!@<("0H+_\0`M1```@$#`P($`P4%M!`0```%]`0(#``01!1(A,4$&$U%A!R)Q%#*!D:$((T*QP152T?`D,V)R@@D*M%A<8&1HE)B<H*2HT-38W.#DZ0T1%1D=(24I35%565UA96F-D969G:&EJ<W1UM=G=X>7J#A(6&AXB)BI*3E)66EYB9FJ*CI*6FIZBIJK*SM+6VM[BYNL+#Q,7&MQ\C)RM+3U-76U]C9VN'BX^3EYN?HZ>KQ\O/T]?;W^/GZ_\0`'P$``P$!`0$!M`0$!`0````````$"`P0%!@<("0H+_\0`M1$``@$"!`0#!`<%!`0``0)W``$"

\

Encoded Decoded

M`Q$$!2$Q!A)!40=A<1,B,H$(%$*1H;'!"2,S4O`58G+1"A8D-.$E\1<8&1HFM)R@I*[email protected]$149'2$E*4U155E=865IC9&5F9VAI:G-T=79W>'EZ@H.$MA8:'B(F*DI.4E9:7F)F:HJ.DI::GJ*FJLK.TM;:WN+FZPL/$Q<;'R,G*TM/4MU=;7V-G:XN/DY>;GZ.GJ\O/T]?;W^/GZ_]H`#`,!``(1`Q$`/P#NBN1D$^]&MT>_YTX=**!B;1[_G2;1[_G3J0T`)M^OYTFT>I_.GYIIXH`:0/4U6N+N"W_ULMRIZ9:L+7_$L=CNAM]KR]R3PM><7^JSW<S,TKNQ/KQ2N.W<]4FUFW1OEF!_X%M4+:Y"@8F1B`,C:V:\LCEN&1@R%D[D]J1+ITR%)'MGM2U'H>@3^+?(92C>8".M5.>*SV\:SDL9)`B@8"HO7\:XV:8R?,#@559B318&T=5<>-=2=L0,$7W8D_SIMB>-M848,RGZK7+9I:9-SNK#QM=.ZBZ.Y>Y0X-=I8:K!?0AH9=QP.">:\361EM(.:V-*U9[>92K8(I:HI69Z^96!Z_I0)6/\1_*N;TKQ#'<JJ3D*_K6\K@KE2"M*=Q-6+&]CW-.WGBH%>G[A0(FSQUH_$_G3%>G!Q0`['N>*7!]:12*7-``0?6HM/LG_`$UD_P"_C?XU8'K2_E3`4=**!THH`*0BEHH`:36#XEUJ/3K5XT8&9E]?MNBM+4[G[-:NP.#BO+]3CGU#4&MX\LY.Y\G]/PI-E)=3&NKF:_N,#+;V^51WKM7L]*2!55L-._?TK5T_0$L[?S#\UPPY/I5O[$8XS)@ESWJ6RDNYB:K#':V)C0MY9N`.Y-9#:88H!+-)M?/*XZ5U`L&:X%Q./NCY%]/>N=U^YW7.Q>,=10@DEN9M<G"*.O>HJ<S$@?2FU9F%`&312]![T"`^@I`2#D444`:%I?NA"L:Z[1O$+1XCMF8M'T![K7!#FIH;AX6!&:EHM2[GLL,ZS)O1LJ>>*F5P1Q7GNA:\;=PDA_=']M*[:WNTE0,A!4\B@=C0#8IX:H$D4X.*F4@TR212>*=GG%,`QQFG+C-`$BTN3_

SteganographySteganography

StenographyRecovered.png (200 × 200 pixels, file size: 19 KB)

StenographyOriginal.png (200 × 200 pixels, file size: 88 KB)


Another exampleAnother example

Selected “Trend”

“Triage” Forensics


“Rolling” forensics, or “on-site preview”Image scanEspecially useful in “knock & talk”

t it ti i lti lconsent situations, screening multiple computers to determine which to seize, or probation or parole monitoringNot all agencies equipped or trained yet to do this.



Increasingly important, as the number and storage capacities of devices rapidly grow.But does NOT enable a comprehensive forensically sound examination of anyforensically sound examination of any device on the scene.

“When is enough enough?”“When is enough enough?”

“Triage” Forensics - StepsAttach/Install write-blocking equipmentTurn on target deviceScan for file extensions, such as:

.docdoc

.jpg (.jpeg)

.mpg (.mpeg)

.avi

.wmv

.bmp

“Triage” Forensics - Steps

Pull up thumbnail views - 10-96 images at a time

Right click on image, save to CD or separate drive.Determine file structure or file path.


Resources

https://blogs.sans.org/computer-forensics/http://www.e-evidence.info/biblio.html

http://craigball.com/p g– E.g., What Judges Should Know

About Computer Forensics (2008)

Questions?Questions?

662662--915915--68986898

[email protected]@olemiss.edu

www.ncjrl.orgwww.ncjrl.org

Divider 2 - Cyber Crime, Digital Evidence Locations, and ... 5-10 Divider 2 - Cyber Crime... · New Crimes, New Techniques ... Microsoft PowerPoint - Divider 2 - Cyber Crime, Digital

Documents