Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Digital Forensics

GaACUA 5/12/14
by

Clark Beecken

on 29 September 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Digital Forensics

Digital Forensics,
A New Frontier for Internal Audit
Digital Forensic Science
Computer Forensics
Mobile Device Forensics
Network Forensics
Forensic Data Analysis
Database Forensics
Any Questions?
The goal is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.
The recovery and review of mobile devices for the data they contain. Highly volatile data source. Strategic acquisition is necessary.
Monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.
4th Amendment
Chain of Custody
Administrative Legal Precedence
O'Connor v. Ortega, 480 U.S. 709 - Supreme Court (1987)

Ontario v. Quon, 130 S.Ct. 2619 , 560 U.S. - Supreme Court (2010)

Rehberg v. Paulk, 611 F. 3d 828 - Court of Appeals, 11th Circuit (2010)
This setup the "Operation Realities" test
The ability to audit digital media with respect to work related functions
There is no reasonable expectation of privacy over digital content once it reached a third party's server
Analysis of the large quantities of data to detect and deter fraudulent activities. Example: Credit Card Fraud Alerts, IDEA, & ACL.

Review of live information on volatile sources such as RAM and active server location, which can not be taken down for preservation. Code level analysis of of software.

This is your external audit trail and only evidence that digital media is in a pristine condition, thus making it allowable in trial.

Media that has been reviewed without proper chain of custody is worthless because a judge will disallow the evidence you find on the device in court.
Key Terms:
Forensically Sound:


Mirror:


Working Copy:



Hash Values:


Volatile data:
Components:
Digital Media:


Hard Drive:


Solid State Drive:


RAM:


Digital Forensics:
Any device or component which can store digital information.
Long term storage device which operates similarly to a 35mm record and player.
Short Term memory. Circuitry based. Data only lasts while device is powered.
Long term storage with higher operational speeds due to basis on circuitry.
Operating in a manner which prevents unauthorized changes to the Digital Media
A exact replication of the hard drive on a different storage device
A Mirror of the device which will be reviewed. Under no circumstances should you review the original device directly.
Evidence integrity tool. (i.e. Digital Media's Fingerprint)
Digital Forensic Science
Locard's Exchange Principal
In the physical world, when someone enters or leaves a room they leave something behind and take something with them.
"The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validation tools, repeatability, reporting, and possible expert presentation." - Ken Zatyko, Forensic Magazine
What is Digital Forensics exactly?
Non-permanent information which is easily destroyed unless handled appropriately.
How does 4th amendment precedence affected by cloud-computing?
Protected
Duty to Preserve
Zubalaka v. USB Warburg:
Duty to preserve begins when reasonable anticipation of litigation. Failing to take action will can result in Spoliation or the intentional or negligent withholding, hiding, altering, or destroying of evidence. Expect potentially large sanctions against your employer.
In the physical world, when someone enters or leaves a room they leave something behind and take something with them.
Locard's Exchange Principal
The same is true in both Accounting and Information Technology. How will you find it?
Basic Preservation Process
Pre-Acquisition Phase

Identify the Digital Media to acquire.
Gain understanding of how the device functions
Is this a volatile source of information?
Where is the digital media located?
Is there a risk of deletion should the individual become aware?
Will this be recoverable?
Does this individual have any unique access?
External access to shared drives
Devices and media at a personal residence
Shared accounts
Pre-Acqusition
Acquisition Phase
Acquisition of Desktops and Laptops
Determine if individual(s) under review need to be present during acquisition. Can you audio record the event?
Take pictures of the location of the device(s).
Who needs to conduct the extraction of the memory?
You will need an understanding of the device and competency in Information Technology.
Start chain of custody on each individual item.
Seal the device in an antistatic bag with tamper tape.
Static can destroy the ability to access data
Sign and date across the seal between the tape and bag
Store device in secure location.
Determine if individual(s) under review need to be present during acquisition. Can you audio record the event?
If collected from an office, rather than interview, take pictures of the entire scene.
Who needs to conduct the preservation?
You will need to be able to turn on airplane mode.
Start chain of custody on each individual item.
Seal the device in an anti-static bag with tamper tape.
Static can destroy the ability to access data
Sign and date across the seal between the tape and bag
Store in a secure location

Acquisition of Mobile Devices
Do not give the target (user of digital device) any advance warning!!!
Full transcript