cyber forensics - TYPES OF CYBER FORENSICS.ppt
mcjaya2024
15 views
27 slides
Mar 06, 2025
Slide 1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
About This Presentation
cf
Slide Content
TYPES OF CYBER FORENSICS
TYPES OF CYBER FORENSICS
Military Computer Forensic Technology
Law Enforcement Computer Forensic
Business Computer Forensic
2
Military Computer Forensic Technology
Law Enforcement Computer Forensic
Business Computer Forensic
2
Types of Computer Forensics Technology
3
Military Computer Forensic Technology
Key objectives of cyber forensics include rapid discovery of evidence, estimation of
potential impact of the malicious activity on the victim, and assessment of the intent and
identity of the perpetrator.
National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal
justice professionals to identify urgent and emerging technology needs.
National Institute of Justice (NIJ) sponsors research and development or identifies best
practices to address those needs.
CFX-2000 is an integrated forensic analysis framework. The central hypothesis of CFX-2000
is that it is possible to accurately determine the motives, intent, targets, sophistication,
identity, and location of cyber criminals and cyber terrorists by deploying an integrated
forensic analysis framework.
The Synthesizing Information from Forensic Investigations (SI-FI) integration environment
supports the collection, examination, and analysis processes employed during a cyber-
forensic investigation.
The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof
containers used to store digital evidence.
3
Military Computer Forensic Technology
Key objectives of cyber forensics include rapid discovery of evidence, estimation of
potential impact of the malicious activity on the victim, and assessment of the intent and
identity of the perpetrator.
National Law Enforcement and Corrections Technology Center (NLECTC) works with criminal
justice professionals to identify urgent and emerging technology needs.
National Institute of Justice (NIJ) sponsors research and development or identifies best
practices to address those needs.
CFX-2000 is an integrated forensic analysis framework. The central hypothesis of CFX-2000
is that it is possible to accurately determine the motives, intent, targets, sophistication,
identity, and location of cyber criminals and cyber terrorists by deploying an integrated
forensic analysis framework.
The Synthesizing Information from Forensic Investigations (SI-FI) integration environment
supports the collection, examination, and analysis processes employed during a cyber-
forensic investigation.
The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof
containers used to store digital evidence.
Law Enforcement Computer Forensic
4
Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer
evidence processing standards.
1.Preservation of Evidence
•Computer evidence is fragile and susceptible to alteration or erasure by any
number of occurrences.
•Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings.
•Black box computer forensics software tools are good for some basic investigation
tasks, but they do not offer a full computer forensics solution.
•SafeBack software overcomes some of the evidence weaknesses inherent in black
box computer forensics approaches.
•SafeBack technology has become a worldwide standard in making mirror image
backups since 1990. (SafeBack is used to create mirror-image (bit-stream) backup
files of hard disks or to make a mirror-image copy of an entire hard disk drive or
partition.SafeBack image files cannot be altered or modified )
4
Computer Evidence Processing Procedures
Processing procedures and methodologies should conform to federal computer
evidence processing standards.
1.Preservation of Evidence
•Computer evidence is fragile and susceptible to alteration or erasure by any
number of occurrences.
•Computer evidence can be useful in criminal cases, civil disputes, and human
resources/ employment proceedings.
•Black box computer forensics software tools are good for some basic investigation
tasks, but they do not offer a full computer forensics solution.
•SafeBack software overcomes some of the evidence weaknesses inherent in black
box computer forensics approaches.
•SafeBack technology has become a worldwide standard in making mirror image
backups since 1990. (SafeBack is used to create mirror-image (bit-stream) backup
files of hard disks or to make a mirror-image copy of an entire hard disk drive or
partition.SafeBack image files cannot be altered or modified )
2. Disk Structure : evidence can reside at various levels within the structure of the disk
3. Data Encryption : should become familiar with the use of software to crack security
associated with the different file structures.
4. Matching a Diskette to a Computer:
Specialized techniques and tools that make it possible to conclusively tie a diskette to a
computer that was used to create or edit files stored on it. Computer forensic experts
should become familiar how to use special software tools to complete this process.
5. Data Compression-
Computer forensic experts should become familiar with how compression works and
how compression programs can be used to hide and disguise sensitive data and also
learn how password-protected compressed files can be broken.
6. Erased Files-
Computer forensic experts should become familiar with how previously erased files can
be recovered by using DOS programs and by manually using data-recovery technique &
familiar with cluster chaining.
3. Data Encryption : should become familiar with the use of software to crack security
associated with the different file structures.
4. Matching a Diskette to a Computer:
Specialized techniques and tools that make it possible to conclusively tie a diskette to a
computer that was used to create or edit files stored on it. Computer forensic experts
should become familiar how to use special software tools to complete this process.
5. Data Compression-
Computer forensic experts should become familiar with how compression works and
how compression programs can be used to hide and disguise sensitive data and also
learn how password-protected compressed files can be broken.
6. Erased Files-
Computer forensic experts should become familiar with how previously erased files can
be recovered by using DOS programs and by manually using data-recovery technique &
familiar with cluster chaining.
7. Internet Abuse Identification and Detection
•Computer forensic experts should become familiar with how to use specialized software to
identify how a targeted computer has been used on the Internet.
•This process will focus on computer forensics issues tied to data that the computer user
probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).
8 . The Boot Process and Memory Resident Programs
•Computer forensic experts should become familiar with how the operating system can be
modified to change data and destroy data at the whim of the person who configured the
system.
•Such a technique could be used to covertly capture keyboard activity from corporate
executives, for example. For this reason, it is important that the experts understand these
potential risks and how to identify them.
•Computer forensic experts should become familiar with how to use specialized software to
identify how a targeted computer has been used on the Internet.
•This process will focus on computer forensics issues tied to data that the computer user
probably doesn’t realize exists (file slack, unallocated file space, and Windows swap files).
8 . The Boot Process and Memory Resident Programs
•Computer forensic experts should become familiar with how the operating system can be
modified to change data and destroy data at the whim of the person who configured the
system.
•Such a technique could be used to covertly capture keyboard activity from corporate
executives, for example. For this reason, it is important that the experts understand these
potential risks and how to identify them.
Business Computer Forensic
7
•Data Interception by Remote Transmission (DIRT) is a powerful
remote control monitoring tool that allows stealth monitoring of
all activity on one or more target computers simultaneously from
a remote command centre.
•No physical access is necessary. Application also allows agents
to remotely seize and secure digital evidence prior to physically
entering suspect premises.
7
•Data Interception by Remote Transmission (DIRT) is a powerful
remote control monitoring tool that allows stealth monitoring of
all activity on one or more target computers simultaneously from
a remote command centre.
•No physical access is necessary. Application also allows agents
to remotely seize and secure digital evidence prior to physically
entering suspect premises.
Theft Recovery Software For Laptops And PCs
What it really costs to replace a stolen computer:
•The price of the replacement hardware & software.
•The cost of recreating data, lost production time or instruction
time, reporting and investigating the theft, filing police reports and
insurance claims, increased insurance, processing and ordering
replacements, cutting a check, and the like.
•The loss of customer goodwill.
•If a thief is ever caught, the cost of time involved in prosecution.
PC PHONEHOME
•PC PhoneHome is a software application that will track and locate a
lost or stolen PC or laptop any-where in the world. It is easy to
install. It is also completely transparent to the user.
•If your PC PhoneHome-protected computer is lost or stolen, all you
need to do is make a report to the local police and call CD’s 24-hour
command center. CD’s recovery specialists will assist local law
enforcement in the recovery of your property.
What it really costs to replace a stolen computer:
•The price of the replacement hardware & software.
•The cost of recreating data, lost production time or instruction
time, reporting and investigating the theft, filing police reports and
insurance claims, increased insurance, processing and ordering
replacements, cutting a check, and the like.
•The loss of customer goodwill.
•If a thief is ever caught, the cost of time involved in prosecution.
PC PHONEHOME
•PC PhoneHome is a software application that will track and locate a
lost or stolen PC or laptop any-where in the world. It is easy to
install. It is also completely transparent to the user.
•If your PC PhoneHome-protected computer is lost or stolen, all you
need to do is make a report to the local police and call CD’s 24-hour
command center. CD’s recovery specialists will assist local law
enforcement in the recovery of your property.
Creating Trackable Electronic Documents - intrusion detection tool
•Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection
tool that allows users to create trackable electronic documents.
•BAIT identifies (including their location) unauthorized intruders who
access, download, and view these tagged documents.
•BAIT also allows security personnel to trace the chain of custody and
chain of command of all who possess the stolen electronic documents.
•Binary Audit Identification Transfer (BAIT) is a powerful intrusion detection
tool that allows users to create trackable electronic documents.
•BAIT identifies (including their location) unauthorized intruders who
access, download, and view these tagged documents.
•BAIT also allows security personnel to trace the chain of custody and
chain of command of all who possess the stolen electronic documents.
FORENSIC SERVICES
FORENSIC SERVICES AVAILABLE
Services include but are not limited to:
•Lost password and file recovery
•Location and retrieval of deleted and hidden files
•File and email decryption
•Email supervision and authentication
•Threatening email traced to source
•Identification of Internet activity
•Computer usage policy and supervision
•Remote PC and network monitoring
•Tracking and location of stolen electronic files
•Honeypot sting operations
•Location and identity of unauthorized software users
•Theft recovery software for laptops and PCs
•Investigative and security software creation
•Protection from hackers and viruses
FORENSIC SERVICES AVAILABLE
Services include but are not limited to:
•Lost password and file recovery
•Location and retrieval of deleted and hidden files
•File and email decryption
•Email supervision and authentication
•Threatening email traced to source
•Identification of Internet activity
•Computer usage policy and supervision
•Remote PC and network monitoring
•Tracking and location of stolen electronic files
•Honeypot sting operations
•Location and identity of unauthorized software users
•Theft recovery software for laptops and PCs
•Investigative and security software creation
•Protection from hackers and viruses
•https://www.police.vic.gov.au/forensic-
services
services
INCIDENT AND INCIDENT RESPONSE
METHODOLOGY
METHODOLOGY
WHAT IS A COMPUTER SECURITY INCIDENT?
•We define a computer security incident as any unlawful, unauthorized, or unacceptable
action that involves a computer system or a computer network.
Such an action can include any of the following events:
•Theft of trade secrets-It occurs when a person uses confidential business information
without authorization.
•Email spam or harassment(finding)-Recipient has not granted verifiable permission for
the message to be sent.
•Unauthorized or unlawful intrusions(involve) into computing systems-It shall be unlawful
for any person to knowingly intrude upon any other person without his or her consent or
knowledge
•Embezzlement(Fraud)-It is a form of fraud wherein a person or entity intentionally
misappropriates assets for personal use.
•Possession or dissemination of child pornography
•Denial-of-service (DoS) attacks- shut down a machine or network, making it inaccessible
to its intended users.
•Tortious(against law) interference of business relations
•Extortion(money trade)
•We define a computer security incident as any unlawful, unauthorized, or unacceptable
action that involves a computer system or a computer network.
Such an action can include any of the following events:
•Theft of trade secrets-It occurs when a person uses confidential business information
without authorization.
•Email spam or harassment(finding)-Recipient has not granted verifiable permission for
the message to be sent.
•Unauthorized or unlawful intrusions(involve) into computing systems-It shall be unlawful
for any person to knowingly intrude upon any other person without his or her consent or
knowledge
•Embezzlement(Fraud)-It is a form of fraud wherein a person or entity intentionally
misappropriates assets for personal use.
•Possession or dissemination of child pornography
•Denial-of-service (DoS) attacks- shut down a machine or network, making it inaccessible
to its intended users.
•Tortious(against law) interference of business relations
•Extortion(money trade)
Incident response
•Incident response is the methodology an
organization uses to respond to and manage a
cyber attack.
•Incident response is a term used to describe
the process by which an organization handles
a data breach or cyber attack, including the
way the organization attempts to manage the
consequences of the attack or breach (the
“incident”)
•Incident response is the methodology an
organization uses to respond to and manage a
cyber attack.
•Incident response is a term used to describe
the process by which an organization handles
a data breach or cyber attack, including the
way the organization attempts to manage the
consequences of the attack or breach (the
“incident”)
WHAT ARE THE GOALS OF INCIDENT RESPONSE?
•Prevents a disjointed, non cohesive(not same) response which could be
disastrous(high loss)
•Confirms or dispels whether an incident occurred.
•Promotes accumulation of accurate information.
•Establishes controls for proper retrieval and handling of evidence.
•Protects privacy rights established by law and policy.
•Minimizes disruption(disturb) to business and network operations
•Allows for criminal or civil action against perpetrators.
•Provides accurate reports and useful recommendations.
•Provides rapid detection and containment(control)
•Minimizes exposure and compromise of proprietary data
•Protects your organization’s reputation and assets
•Educates senior management
•Promotes rapid detection and/or prevention of such incidents in the future (via
lessons learned, policy changes, and so on)
•Prevents a disjointed, non cohesive(not same) response which could be
disastrous(high loss)
•Confirms or dispels whether an incident occurred.
•Promotes accumulation of accurate information.
•Establishes controls for proper retrieval and handling of evidence.
•Protects privacy rights established by law and policy.
•Minimizes disruption(disturb) to business and network operations
•Allows for criminal or civil action against perpetrators.
•Provides accurate reports and useful recommendations.
•Provides rapid detection and containment(control)
•Minimizes exposure and compromise of proprietary data
•Protects your organization’s reputation and assets
•Educates senior management
•Promotes rapid detection and/or prevention of such incidents in the future (via
lessons learned, policy changes, and so on)
WHO IS INVOLVED IN THE INCIDENT
RESPONSE PROCESS?
•Human resources personnel- responsible for recruiting, screening, interviewing and placing
workers
•legal counsel- providing legal advice and guidance on matters of law.
•technical experts-person who provides specific knowledge or expertise to the assessment
team relating to the organization
•security professionals- someone responsible for protecting the networks, infrastructure and
systems for a business or organisation.
•corporate security officers- employed by private companies to guard physical property and
personnel from vandalism, theft, bodily harm, fire or illegal activity.
•business managers- to supervise and lead a company's operations and employees.
•end users- refers to the consumer of a good or service
•helpdesk workers- to troubleshoot problems or provide guidance about products
•other employees may find themselves involved in responding to a computer security incident.
RESPONSE PROCESS?
•Human resources personnel- responsible for recruiting, screening, interviewing and placing
workers
•legal counsel- providing legal advice and guidance on matters of law.
•technical experts-person who provides specific knowledge or expertise to the assessment
team relating to the organization
•security professionals- someone responsible for protecting the networks, infrastructure and
systems for a business or organisation.
•corporate security officers- employed by private companies to guard physical property and
personnel from vandalism, theft, bodily harm, fire or illegal activity.
•business managers- to supervise and lead a company's operations and employees.
•end users- refers to the consumer of a good or service
•helpdesk workers- to troubleshoot problems or provide guidance about products
•other employees may find themselves involved in responding to a computer security incident.
CSIRT- Computer Security Incident Response Team
1.CSIRT is to respond to any computer security incident.
2.The CSIRT is a multi disciplined team with the
appropriate legal, technical, and other expertise
necessary to resolve an incident.
3. The CSIRT is normally a dynamic team assembled
when an organization requires its capabilities.
1.CSIRT is to respond to any computer security incident.
2.The CSIRT is a multi disciplined team with the
appropriate legal, technical, and other expertise
necessary to resolve an incident.
3. The CSIRT is normally a dynamic team assembled
when an organization requires its capabilities.
Roles and Responsibilities of CSIRT
INCIDENT RESPONSE METHODOLOGY
We use a “black box” approach. We divide the larger problem of incident
resolution into components and examine the inputs and outputs of each component.
1.Pre-incident preparation
2.Detection of incidents
3.Initial response
4.Formulate response strategy
5.Investigate the incident
6.Reporting
7.Resolution
We use a “black box” approach. We divide the larger problem of incident
resolution into components and examine the inputs and outputs of each component.
1.Pre-incident preparation
2.Detection of incidents
3.Initial response
4.Formulate response strategy
5.Investigate the incident
6.Reporting
7.Resolution
•Pre-incident preparation Take actions to prepare the organization and the CSIRT before an
incident occurs.
•Detection of incidents Identify a potential computer security incident.
•Initial response Perform an initial investigation, recording the basic details surrounding the
incident, assembling the incident response team, and notifying the individuals who need to
know about the incident.
•Formulate response strategy Based on the results of all the known facts, determine the best
response and obtain management approval. Determine what civil, criminal, administrative,
or other actions are appropriate to take, based on the conclusions drawn from the
investigation.
•Investigate the incident Perform a thorough collection of data. Review the data collected to
determine what happened, when it happened, who did it, and how it can be prevented in the
future.
•Reporting Accurately report information about the investigation in a manner useful to
decision makers.
•Resolution Employ security measures and procedural changes, record lessons learned, and
develop long-term fixes for any problems identified.
incident occurs.
•Detection of incidents Identify a potential computer security incident.
•Initial response Perform an initial investigation, recording the basic details surrounding the
incident, assembling the incident response team, and notifying the individuals who need to
know about the incident.
•Formulate response strategy Based on the results of all the known facts, determine the best
response and obtain management approval. Determine what civil, criminal, administrative,
or other actions are appropriate to take, based on the conclusions drawn from the
investigation.
•Investigate the incident Perform a thorough collection of data. Review the data collected to
determine what happened, when it happened, who did it, and how it can be prevented in the
future.
•Reporting Accurately report information about the investigation in a manner useful to
decision makers.
•Resolution Employ security measures and procedural changes, record lessons learned, and
develop long-term fixes for any problems identified.
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 15
- Slides 27
- Age 292 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
45 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
48 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
44 views
14
Fertility awareness methods for women in the society
Isaiah47
41 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
43 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
42 views