Computer & Network Forensics

Get Started. It's Free
or sign up with your email address
Computer & Network Forensics by Mind Map: Computer & Network Forensics

1. Digital Forensics

1.1. Computer Forensics

1.1.1. includes Laptops Operating Systems File Systems Virtual Machines Desktop Tablet Mobile Device

1.1.2. Have shift to mobile devices more as people spent more time on their mobile phone

1.1.3. Digital Evidence Data of value to an investigator Stored, received or transmitted by an electronic device

1.1.4. Tools Open Source E.g. Autopsy Closed Source E.g. Encase Personal Approach: To use open source to own the capability & to understand the concept

1.2. Network Forensics

1.2.1. Definition Refers to data in transits, transmitted via Private Network Public network

1.2.2. Includes Domain Name Analysis Web Vulnerability Network Sniffer Eavesdrop bit stream Detect network intrusion & network attacks Re-assemble traffic

1.3. involves

1.3.1. Preservation

1.3.2. Acquisition

1.3.3. Documentation

1.3.4. Analysis

1.3.5. Interpretation

2. Introduction

2.1. Multi disciplinary & wide coverage

2.2. Tools might be abused

3. Forensics Process

3.1. Identification

3.1.1. Application of sciences to answer the questions of interest to the legal system

3.2. Extraction

3.2.1. Simple information retrieval to reconstructing a series of event leading to the incident

3.3. Deliverables for court

3.3.1. Documentation Purpose: Report for public presentation. answer the "what" question

3.3.2. Intelligent Data Support guilt / innocence Show timeline of events leading to the incident Shows hidden relationships

3.3.3. Evidence Definition: Includes any testimony, documents / tangible matter that will be introduced to the judge to establish a point put forth by the party Legally Admissible Evidence Must be able to prove it preservation via Digital Hash Show that the data was not tampered by anyone Chain of Custody Refer to the process of maintaining & documenting who is handling the evidence Dual Tool Verification Result needs to be confirm with at least 2 tools. Different software version may produce different results Methods

4. Daubert Evidence Standard

4.1. Aims: Assess the reliability of scientific / digital evidence

4.2. Criterias

4.2.1. The techniques has been tested?

4.2.2. It has undergone peer review?

4.2.3. If there is a known error rate?

4.2.4. If there is an existence & maintenance of standards controlling its operation?

4.2.5. If the techniques is generally accepted by the scientific community ?

4.3. Daubert Motion is a challenge to the "expert" to explain the evidence in simple terms

4.4. Note: Open Source tools are may comprehensively meet the standard

5. Types of Evidences

5.1. Circumstantial Evidence

5.1.1. Relies on as an inference for a suspected connections

5.1.2. Possible relation to the case

5.2. Direct Evidence

5.2.1. Support the truth of an assertion directly without the need for any additional evidence / inference E.g. Murder Weapon with fingerprint of the suspected murderer

5.3. They can be

5.3.1. Exculpatory Evidence that is favorable to the defendant [accquit]

5.3.2. Incluplatory Evidence that show / tend to prove guilt

6. Locard's Exchange Principle

6.1. Technical Term: Transfer

6.2. What this mean?

6.2.1. Every contact leaves a trace

6.2.2. Motivation to search harder

6.2.3. Applies to everyone Might unintentionally change the content

7. Practical / Application Examples

7.1. Application of computer forensics in recovering an art pieces

7.2. Netspionage

7.2.1. The use of networks & computers & other associated capabilities to steal corporations' secrets Commercial Government

7.2.2. People who commit this crime are called Techno-spies Netspionage Agents

7.3. Law

7.3.1. Bribery with the help of emails exchange in and out of the device

7.4. Spying on the Government through encryption machines