SlideShare a Scribd company logo

L12. Digital Forensics BS.pptx

Download as PPTX, PDF
T
talhajann43

This document discusses digital forensics. It begins with an overview of cybercrime and digital forensics, defining cybercrime as illegal computer-related activities and digital forensics as the process of examining digital evidence in a forensically sound manner. The document then outlines the typical digital forensic process, which involves steps to protect the investigation scene, obtain evidence, preserve evidence, verify evidence, analyze evidence, trace evidence, and present findings in court. Regulations and standards for digital forensics from countries and organizations are also reviewed.

Related slideshows

chapter 5.pptxggggggggggggggggggggggggggg
chapter 5.pptxgggggggggggggggggggggggggggchapter 5.pptxggggggggggggggggggggggggggg
chapter 5.pptxggggggggggggggggggggggggggg
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber crime and forensic
Cyber crime and forensicCyber crime and forensic
Cyber crime and forensic
 
1 of 19
www.huawei.com Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Digital Forensics
Page 1 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Foreword  Today, computers are used the world over. The pervasiveness of computers has led to an ever-increasing number of computer-related court cases, such as electronic commerce disputes and cybercrimes. In the process of judging or handling disputes and criminal cases, a new form of litigation evidence has emerged, namely, digital evidence. The characteristics that distinguish digital evidence and digital forensics from traditional physical evidence and forensic methods pose new research topics in the field of law and computer science.  This document describes the digital forensic process.
Page 2 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Contents 1. Overview  Cybercrime  Overview of Digital Forensics 2. Digital Forensic Process
Page 3 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Cybercrime  Definition:  In violation of legal regulations, a bad actor deliberately:  Invades a computer information system or compromises the functionality of the system and its related data and applications  Produces or disseminates computer viruses  Affects the normal operation of a system or causes detrimental effects  Cybercrimes usually take two forms:  Use of computers to store information related to criminal activities  Direct use of computers as a crime tool to launch criminal activities
Page 4 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Characteristics of Cybercrimes  Over the past decade or so, the number of cybercrimes have risen year on year. Cybercrimes generally have the following characteristics: Professional means Complex and diverse motives Covert forms Transnational Huge potential damage Many members and lowering ages Characteristics of Cybercrimes
Page 5 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Cybercrime Motives  The motives of cybercrime are complicated and diverse. Trick Revenge Profit Prestige Political action Motives Idle and dull people with some skills who want to access all interested websites People who want to prove their competence and win respect and recognition from their counterparts Suspended, dismissed, demoted, or unjustly treated people who take revenge to cause maximum impact People who are learning about computers and networks perform misoperations or accidentally discover a vulnerability that may affect data People who are employed to intrude into a target system to steal or tamper with information for huge financial gains Destruction, theft of intelligence, and information warfare Ignorance
Page 6 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Forms of Cybercrime  Cybercrimes take various forms. Common forms are listed as follows: Trojan horse Hacker Backdoor DDoS Virus Worm Internal and external information leakage Cyber Crime Forms
Page 7 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Contents 1. Overview  Cybercrime  Overview of Digital Forensics 2. Digital Forensic Process
Page 8 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Overview of Digital Forensics  Digital evidence  Digital evidence is information stored or transmitted in binary form during the operation of a computer or computer system and is used in a court case.  Digital evidence is also known as electronic evidence and computer evidence. Digital evidence Text Graphs Images Animations Audios Videos
Page 9 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Sources of Digital Evidence  Common digital evidence in judicial practices falls into three categories:  Digital evidence related to modern communications technologies  Digital evidence related to other modern information technologies, such as broadcasting, television, and film  Digital evidence related to computer technologies or network technologies Communications • Mobile phone audio records • Chat history • Digital data • Fax data • TV series • Video • Movie Broadcasting, television, and film • Database operation record • Browser cache • Network monitoring traffic • Operating system logs Computer and network
Page 10 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Characteristics of Digital Evidence Digital evidence depends heavily on computer and storage technologies. Without high-tech equipment, digital evidence cannot be saved or transmitted. Digital evidence is not a single piece of data, images, or sound, but a combination of data, images, sounds, graphs, animations, and text. Digital evidence may be easily compromised during generation and transmission due to its dependence on electronic digital devices such as computers. This may damage or even prevent the use of the digital evidence. Attackers use hacker methods to invade computer systems and steal passwords in order to arbitrarily tamper with electronic data, making it difficult to validate evidence. Unlike traditional evidence, which can be directly seen, heard, or touched, digital evidence is stored in optical, electronic, or magnetic form on various types of electronic devices. Digital evidence can reflect a dynamic and continuous process that vividly reproduces the scene. Vulnerable and fragile Fabricated Characteristics of digital evidence
Page 11 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Concept of Computer Forensics  Computer forensics is also known as digital forensics or electronic forensics.  Definition:  Computer forensics refers to the process of confirming, protecting, extracting, archiving, and presenting at a court digital evidence that exists in computers and related peripherals. This evidence must be reliable, persuasive, and acceptable by the court.
Page 12 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Regulations and Standards for Digital Forensics US Since the release of the Federal Rules of Evidence in 1976, a number of laws have emerged in the US to address the problems brought by digital evidence: Economic Espionage Act of 1976: deals with business secret thefts. Electronic Communications Privacy Act of 1986: deals with the eavesdropping of electronic communications Computer Security Act of 1987 (Public Law 100-235): deals with security problems in government computer systems. Early in February 2002, the IETF released the RFC 3227 Guidelines for Evidence Collection and Archiving. The ITU released the draft Digital Evidence Act and Understanding Cybercrime: A Guide for Developing Countries in April 2009 and Understanding Cybercrime: Phenomena, challenges and legal response in September 2012. IETF The Information Security Technical Committee of the International Organization for Standardization (ISO) released the Guidelines for identification, collection, acquisition and preservation of digital evidence in October 2012 (ISO/IEC27037: 2012) China The Electronic Data Identification Rules for Public Security Authorities issued in 2005 explicitly require that the electronic data appraisers of the public security organs should fulfill and comply with the industry standards and obligations stipulated in inspection and appraisal procedures. The Measures on Registration and Administration of Public Security Agency Authentication Institutes (order No. 83 of Ministry of Public Security) issued in 2006 explicitly incorporates the technical standards compliance of authentication institutes into the annual appraisal of public security registration and administration departments. The General Rules on the Procedures for Judicial Authentication (order No. 107 of the Ministry of Justice) issued in 2007 poses detailed requirements on the adoption of technical standards by appraisers. International Organization for Standardization (ISO)
Page 13 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Status and Trend of Digital Forensics Status Situation Trend Status 1. China/Pakistan was a late adopter of computers and therefore relevant laws and regulations are insufficient. 2. Academic research on cybercrimes mainly focuses on its characteristics, preventive measures, and impact on people. Forensics technologies are no longer sufficient to combat cybercrimes or to protect network and information security. 3. China/Pakistan must independently develop computer forensic tools and software that can meet its specific requirements and comprehensively check computers and network systems. Trend 1. Integration of other theories and technologies (such as AI, machine learning, neural network, data mining, and information security technologies) into forensic technologies 2. Specialization and automation of forensic tools 3. Sufficient information reserved during network protocol design for potential forensic activities
Page 14 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Contents 1. Overview of Digital Forensics 2. Digital Forensic Process
Page 15 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Principles of Digital Forensics Integrity Principles Collect evidence as soon as possible and ensure it is not damaged. Explain changes in evidence from when it is initially collected to when it is officially presented. The entire examination and forensic process must be supervised. Search all files in the target system, comprehensively analyze them, and provide necessary expert testimony. During forensic examination, protect target computer systems to avoid any change, data damage, or virus infection.
Page 16 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Digital Forensic Process  According to the characteristics of digital evidence, it is essential to collect evidence as soon as possible during digital forensics to ensure that it has not been damaged. Digital forensics usually involves the following steps: Protect the scene Obtain evidence Preserve evidence Verify evidence Analyze evidence Trace Present evidence
Page 17 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Summary  Overview of Digital Forensics  Cybercrime  Overview of Digital Forensics  Digital Forensic Process
Page 18 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Thank You www.huawei.com

More Related Content

L12. Digital Forensics BS.pptx

  • 1. www.huawei.com Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Digital Forensics
  • 2. Page 1 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Foreword  Today, computers are used the world over. The pervasiveness of computers has led to an ever-increasing number of computer-related court cases, such as electronic commerce disputes and cybercrimes. In the process of judging or handling disputes and criminal cases, a new form of litigation evidence has emerged, namely, digital evidence. The characteristics that distinguish digital evidence and digital forensics from traditional physical evidence and forensic methods pose new research topics in the field of law and computer science.  This document describes the digital forensic process.
  • 3. Page 2 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Contents 1. Overview  Cybercrime  Overview of Digital Forensics 2. Digital Forensic Process
  • 4. Page 3 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Cybercrime  Definition:  In violation of legal regulations, a bad actor deliberately:  Invades a computer information system or compromises the functionality of the system and its related data and applications  Produces or disseminates computer viruses  Affects the normal operation of a system or causes detrimental effects  Cybercrimes usually take two forms:  Use of computers to store information related to criminal activities  Direct use of computers as a crime tool to launch criminal activities
  • 5. Page 4 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Characteristics of Cybercrimes  Over the past decade or so, the number of cybercrimes have risen year on year. Cybercrimes generally have the following characteristics: Professional means Complex and diverse motives Covert forms Transnational Huge potential damage Many members and lowering ages Characteristics of Cybercrimes
  • 6. Page 5 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Cybercrime Motives  The motives of cybercrime are complicated and diverse. Trick Revenge Profit Prestige Political action Motives Idle and dull people with some skills who want to access all interested websites People who want to prove their competence and win respect and recognition from their counterparts Suspended, dismissed, demoted, or unjustly treated people who take revenge to cause maximum impact People who are learning about computers and networks perform misoperations or accidentally discover a vulnerability that may affect data People who are employed to intrude into a target system to steal or tamper with information for huge financial gains Destruction, theft of intelligence, and information warfare Ignorance
  • 7. Page 6 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Forms of Cybercrime  Cybercrimes take various forms. Common forms are listed as follows: Trojan horse Hacker Backdoor DDoS Virus Worm Internal and external information leakage Cyber Crime Forms
  • 8. Page 7 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Contents 1. Overview  Cybercrime  Overview of Digital Forensics 2. Digital Forensic Process
  • 9. Page 8 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Overview of Digital Forensics  Digital evidence  Digital evidence is information stored or transmitted in binary form during the operation of a computer or computer system and is used in a court case.  Digital evidence is also known as electronic evidence and computer evidence. Digital evidence Text Graphs Images Animations Audios Videos
  • 10. Page 9 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Sources of Digital Evidence  Common digital evidence in judicial practices falls into three categories:  Digital evidence related to modern communications technologies  Digital evidence related to other modern information technologies, such as broadcasting, television, and film  Digital evidence related to computer technologies or network technologies Communications • Mobile phone audio records • Chat history • Digital data • Fax data • TV series • Video • Movie Broadcasting, television, and film • Database operation record • Browser cache • Network monitoring traffic • Operating system logs Computer and network
  • 11. Page 10 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Characteristics of Digital Evidence Digital evidence depends heavily on computer and storage technologies. Without high-tech equipment, digital evidence cannot be saved or transmitted. Digital evidence is not a single piece of data, images, or sound, but a combination of data, images, sounds, graphs, animations, and text. Digital evidence may be easily compromised during generation and transmission due to its dependence on electronic digital devices such as computers. This may damage or even prevent the use of the digital evidence. Attackers use hacker methods to invade computer systems and steal passwords in order to arbitrarily tamper with electronic data, making it difficult to validate evidence. Unlike traditional evidence, which can be directly seen, heard, or touched, digital evidence is stored in optical, electronic, or magnetic form on various types of electronic devices. Digital evidence can reflect a dynamic and continuous process that vividly reproduces the scene. Vulnerable and fragile Fabricated Characteristics of digital evidence
  • 12. Page 11 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Concept of Computer Forensics  Computer forensics is also known as digital forensics or electronic forensics.  Definition:  Computer forensics refers to the process of confirming, protecting, extracting, archiving, and presenting at a court digital evidence that exists in computers and related peripherals. This evidence must be reliable, persuasive, and acceptable by the court.
  • 13. Page 12 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Regulations and Standards for Digital Forensics US Since the release of the Federal Rules of Evidence in 1976, a number of laws have emerged in the US to address the problems brought by digital evidence: Economic Espionage Act of 1976: deals with business secret thefts. Electronic Communications Privacy Act of 1986: deals with the eavesdropping of electronic communications Computer Security Act of 1987 (Public Law 100-235): deals with security problems in government computer systems. Early in February 2002, the IETF released the RFC 3227 Guidelines for Evidence Collection and Archiving. The ITU released the draft Digital Evidence Act and Understanding Cybercrime: A Guide for Developing Countries in April 2009 and Understanding Cybercrime: Phenomena, challenges and legal response in September 2012. IETF The Information Security Technical Committee of the International Organization for Standardization (ISO) released the Guidelines for identification, collection, acquisition and preservation of digital evidence in October 2012 (ISO/IEC27037: 2012) China The Electronic Data Identification Rules for Public Security Authorities issued in 2005 explicitly require that the electronic data appraisers of the public security organs should fulfill and comply with the industry standards and obligations stipulated in inspection and appraisal procedures. The Measures on Registration and Administration of Public Security Agency Authentication Institutes (order No. 83 of Ministry of Public Security) issued in 2006 explicitly incorporates the technical standards compliance of authentication institutes into the annual appraisal of public security registration and administration departments. The General Rules on the Procedures for Judicial Authentication (order No. 107 of the Ministry of Justice) issued in 2007 poses detailed requirements on the adoption of technical standards by appraisers. International Organization for Standardization (ISO)
  • 14. Page 13 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Status and Trend of Digital Forensics Status Situation Trend Status 1. China/Pakistan was a late adopter of computers and therefore relevant laws and regulations are insufficient. 2. Academic research on cybercrimes mainly focuses on its characteristics, preventive measures, and impact on people. Forensics technologies are no longer sufficient to combat cybercrimes or to protect network and information security. 3. China/Pakistan must independently develop computer forensic tools and software that can meet its specific requirements and comprehensively check computers and network systems. Trend 1. Integration of other theories and technologies (such as AI, machine learning, neural network, data mining, and information security technologies) into forensic technologies 2. Specialization and automation of forensic tools 3. Sufficient information reserved during network protocol design for potential forensic activities
  • 15. Page 14 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Contents 1. Overview of Digital Forensics 2. Digital Forensic Process
  • 16. Page 15 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Principles of Digital Forensics Integrity Principles Collect evidence as soon as possible and ensure it is not damaged. Explain changes in evidence from when it is initially collected to when it is officially presented. The entire examination and forensic process must be supervised. Search all files in the target system, comprehensively analyze them, and provide necessary expert testimony. During forensic examination, protect target computer systems to avoid any change, data damage, or virus infection.
  • 17. Page 16 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Digital Forensic Process  According to the characteristics of digital evidence, it is essential to collect evidence as soon as possible during digital forensics to ensure that it has not been damaged. Digital forensics usually involves the following steps: Protect the scene Obtain evidence Preserve evidence Verify evidence Analyze evidence Trace Present evidence
  • 18. Page 17 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Summary  Overview of Digital Forensics  Cybercrime  Overview of Digital Forensics  Digital Forensic Process
  • 19. Page 18 Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved. Thank You www.huawei.com