Embed Size (px)
Citation preview
Digital Forensics
Kathryn McBrideUniversity of Central Florida
Masters of Science in Digital Forensics
Introduction
What is Digital Forensics?
Forensics, or forensic science, is the application of science to questions that are of interest to the legal system. Digital forensics is the analysis of computers and other types of digital media to determine if they have been used for illegal or unauthorized activities, or if they are the "victims" of illegal attacks.
Digital Forensics
Business and industry use digital forensics to gather internal information regarding intellectual property theft, fraud, network and computer intrusions, and unauthorized use of computers and other digital media including fax machines, answering machines, personal data assistants, cell phones, etc., to assist in employee termination, and both civil and criminal litigation.
Digital Forensics
Law enforcement agencies use digital forensics to gather digital evidence for a variety of crimes including child pornography, fraud, terrorism, extortion, cyberstalking, money laundering, forgery, and identity theft.
The military and government intelligence agencies use digital forensics to gather intelligence information from computers captured during military actions.
Introduction
When did the program start?
January 2008
Where is the program located?
In Orlando, FL at the University of Central Florida.
At the National Center of Forensic Science in Research Parkway-E Orlando
Introduction
Why was this program started?
A need for prosecution in Computer Forensics as the number of Internet users increase
How do you obtain a degree/certification in this area?
30 hours-Science/Computing track
30 hours- Professional Track-those already in the business
Introduction
The MSDF degree is a collaborative effort between various UCF academic departments - Electrical Engineering and Computer Science, Engineering Technology, Forensic Science of Chemistry, Criminal Justice and Legal Studies - and the National Center for Forensic Science. The National Center for Forensic Science is a State of Florida Type II Center and a member of the National Institute of Justice Forensic Resource Network of the Department of Justice, serving the needs of state and local law enforcement and forensic scientists.
Introduction
The Professional Track is directed toward current professionals in the field, who will pursue the degree as part-time students, and those who would like to gain the knowledge and skills required to work as an examiner in the field. The Science/Computing Track is directed toward those with an interest in scientific applications and research in the field. These students will be full-time, conducting research with faculty resulting in a thesis (or choosing the non-thesis option with an internship), and may be interested in pursuing a doctoral degree in a related field or a law degree afterward. The MS degree in Digital Forensics addresses a local, state and national need for state-of-the-art education in the area of digital forensics
Admission Requirements
The admission requirements for both the Professional Track and Science/Computing Track are consistent with those of most M.S. programs in the U.S. Students will be selected on a competitive basis and must meet the following minimum requirements:
An earned Bachelor's degree from an accredited university.
A minimum GPA of 3.0 (on a scale of 4.0) in all work attempted as an undergraduate student or in the last 60 attempted hours for the Bachelor's degree, or, a graduate degree or professional degree or equivalent from a regionally accredited US institution in a field related to digital forensics
A personal statement (essay) not exceeding 500 words describing the applicant's academic and professional experiences and goals.
Three letters of recommendation assessing the applicant's potential to do master's-level work.
Science/Computing Track
The Science/Computing Track is directed toward those with an interest in scientific applications and research in the field. These students will be full-time, conducting research with faculty resulting in a thesis (or choosing the non-thesis option with an internship), and may be interested in pursuing a doctoral degree in a related field or a law degree afterward. The MS degree in Digital Forensics addresses a local, state and national need for state-of-the-art education in the area of digital forensics.
Science/Computing Track
* Required courses (12 hours):
CGS 5131, Computer Forensics I
CGS 5132, Computer Forensics II
CHS 5503, Topics in Forensic Science
CET 6887 (previously DIG 5835), The Practice of Digital Forensics
Restricted Elective Courses (12 hours):
* Group A: (computing, choose two courses, 6 hours)
CAP 6133, Advanced Topics in Computer Security and Computer Forensics
CNT 6519, Wireless Security and Forensics
CAP 6135, Malware and Software Vulnerability Analysis
COP 6525, Distributed Processing of Digital Evidence
Science/Computing Track * Group B: (criminal justice/legal study, choose one course, 3 hours) CCJ 6074, Investigative and
Intelligence Analysis, Theory and Methods
* CCJ 6706, Quantitative Methods and Computer Utilization in Criminal
* Justice or ESI 5219 Engineering Statistics or STA 5206 Statistical Analysis PLA 5587, Current Issues in Cyberlaw
* Group C: (forensic science, choose one course, 3 hours) CHS 5596, Forensic Expert in the Courtroom
* CHS 5518, Forensic Examination of Digital Evidence or CJE 5688, Cybercrime and Criminal Justice
Thesis Option (6 hours):
* CAP 6971, Master's thesis
Non-Thesis Option (6 hours):
* CAP 6946, Graduate Internship (3 hours)
* Choose one course from the groups listed in the restricted electives section
The Professional Track
The Professional Track is directed toward current professionals in the field, who will pursue the degree as part-time students, and those who would like to gain the knowledge and skills required to work as an examiner in the field.
Professional Track
24 hours required
CHS 5503 Topics in Forensic Science
CGS 5131 Computer Forensics 1
CGS 5132 Computer Forensics 2
CHS 5518 Collection and Examination of Digital Evidence
CIS 6386 OS & File System Forensics
CIS 6395 Incident Response Technologies
CET 6887 Practice of Digital Forensics (capstone/project)
CET 6946 Graduate Internship/Practicum (minimum three hours, maximum six hours)
Six hours of free electives: An additional six hours of electives must be taken for a total of 30 hours. The student may propose any course that is related to digital forensics, the law, or criminal justice, or an additional three hours of internship. The course must meet the graduate program committee's oversight.
Digital Forensics
What we study? A little bit of
everything.Computer Science, Statistics, Criminal Justice, Legal classes, Forensic Science.
CGS 5131-Digital Forensics I
Introduction to Computer Forensics-hash values, file signatures, hex editors, Linux programs to manipulate the hard drive and gather data
Digital Forensics
Introduction to Forensic Science
The scientific application of Forensic Science Crime Scene Investigation overview. Law/Police tactics
CGS 5132-Digital Forensics II
Network Forensic Science in Windows environment
Network sniffers, examining packets, firewalls, windows files systems and security, processes, malware, cryptography
Digital Forensics II Examples of CGS 5132 assignment: 1. I examined the image files from the previous assignment and used a registry viewer to find information about the registry
settings saved on the image files. I have a Vista machine. The image files from the previous assignment are in the form of a NTFS file system under C:\Downloads, the Helix CD, and a registry viewer. In this case, I used Access Data’s Registry Viewer 1.5.3
a) I booted my computer in Helix, opened a root terminal, and mounted the NTFS partition as read-only with the command “mount -r /dev/sda1 /media/sda1” I then inserted a thumb drive and mounted it as writable with the command “mount -w /dev/sdb1/media/sdb1”. Then using Autopsy in Helix, a created a new case, added a host and 5 images to the host. I added the new images by uploading /media/sdb1/NTFS-10GB.* choosing disk type and symlink for import method. I clicked Next “splitting confirmation: no images were found at this location (/media/sdb1/NTFS-10GB.*). The error message I got was “use back button and fix path”.
Then I added the following MD5 hash “A45AF3D23B55065939D15859AD7CH82F” and verified after importing. The hashes matched. The mmls output was (take note of output)
I then selected the NTFS partition, chose File Analysis from the Autopsy menu, and browsed to the colder C:\WINDOWS\system32\config. I then selected SAM registry file and exported it to my thumb drive. I did this with the other registry files: SECURITY, SYSTEM, and SOFTWARE.
I then selected the log file SysEvent.Evt from this same folder C:\WINDOWS\system32\config and exported it /home/ubuntu/Desktop
Finally, I located the registry file C:\Documents and Settings\Dr. Lang\NTUSER.DAT and exported it. Where I copied each of the exported files to my thumb drive: 5 registry files and 1 log file. I then unmounted the thumb drive with the command “unmount /dev/sdb1” and quit Helix
Digital Forensics II Example of another Lab:How many times are three-way handshaking used during the process?
There were 7 three way handshakes. There were 5 that were between the computer and the ftp. They are identified by two 2 S flags and an ack1 flag. This is considered a three-way handshake. They occurred mainly before commands were given and files were transferred.
What are the IP addresses and ports involved in the process and which is for the ftp server and which is for the PC client?
The IP address of my pc or source ip address is 147.229.220.67, the IP address of the destination is 140.112.2.5. The Port for my pc is port # 49630, the destination port for the ftp server is port #21.
Which packets have the FIN flag set and what seems to be the purpose of this flag?
Found on the packets that were ending the ls input, ending the transfer, and before quit was input. The following shows the FIN flags when the ftp was quit.
The purpose of the FIN flag ”F” is it initiates a graceful termination of a connection
I also ran windump to capture the packets to a binary file called dumpfile2. I logged in to the SSH client and my UCF Pegasus Account and logged out. I recorded these steps using the windump command, then once I logged out of SSH/My Pegasus Account, I terminated windump. I then ran the command:
windump -i 1 -s 1500 -r dumpfile2 -X host 147.229.220.67 > dump2.txt
opening a SSH connection. The flag for this was “Server/Client”.
Digital Forensics II
Continued...I then opened the dump2.txt file in Notepad and answered the following questions:
b) What is the size in bytes of the captured binary file and how many total packets were captured?
4139 packets captured
11432 packets received by filter
0 packets dropped by kernel
How many packets relate to these steps?
Double clicking the SSH client icon and entering the required parameters for the Pegasus IP address 132.170.240.30, user name, and port number?
Double clicking on the SSH client and entering a username and port number related to Packets 1936-1939 (or 3 packets). The signal flag was “ssh > 60272 [ACK]...” the end flag was “ssh > 60272 [ACK]...”...the same flag.
Opening the SSH connection (clicking the connect button)?
Packets 1932-1933 (1 packet) are related to opening a SSH connection. The flag for this was “Server/Client”.
Faculty Faculty Resources and Qualifications
The MSDF program faculty members are interdisciplinary and from several different academic programs at UCF.
School of Electrical Engineering & Computer Science
Sheau-Dong Lang
Program Coordinator
Ratan Guha
Professor
Damla Turgut
Associate Professor
Cliff Zou
Assistant Professor
Engineering Technology
Philip Craiger
Professional Track Coordinator
Faculty Chemistry/Forensic Science
Carrie Whitcomb
Director of NCFS
Criminal Justice and Legal Studies
Thomas Sadaka
Adjunct Professor
Michael Reynolds
Associate Professor
Robert Ford
Instructor
Mark Pollitt- former FBI
Visiting Professor
Summary
Digital Forensics is a new and growing field. There are jobs at police agencies and Departments of Law enforcement. At the state, national or government level.
Forensic analysis is very tedious, but rewarding once the evidence is found on the computer and a offender can be prosecuted.
Must take steps to ensure the evidence is secure. Follow chain of custody.
