| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
|
Forensics on the Windows Platform, Part One Forensic examination of computer systems is commonly carried out by trained investigators using specialist hardware and software. The popularity of the Windows operating systems on both desktops and servers has made it a common source of evidence for such investigators. As a result, the range of tools available that can be used to analyze the Windows platform continues to grow. However, true forensic examination of a computer (i.e. where there may be a requirement to produce evidence in a court of law) does not take place only within the confines of a high-tech laboratory but also within the framework of current, relevant legislation and sometimes under the watchful eye of the media.
04/05/2004
|
|
Forensic Analysis of a Live Linux System, Part One During the incident response process we often come across a situation where a compromised system wasn't powered off by a user or administrator. This is a great opportunity to acquire much valuable information, which is irretrievably lost after powering off. I'm referring to things such as: running processes, open TCP/UDP ports, program images which are deleted but still running in main memory, the contents of buffers, queues of connection requests, established connections and modules loaded into part of the virtual memory that is reserved for the Linux kernel. All of this data can help the investigator in offline examination to find forensic evidence. Moreover, when an incident is still relatively new we can recover almost all data used by and activities performed by an intruder.
04/05/2004
|
|
The Field Guide for Investigating Computer Crime, Part Eight: Information Discovery - Searching and Processing This is the eighth and final article in Field Guide for Investigating Computer Crime. In our last installment, Information Discovery - Basics and Planning, we briefly compared the physical search and seizure with its logical (i.e. data-oriented) counterpart, information discovery. We introduced the basics for the information discovery process, noting how establishing and protecting the chain of custody for logical evidence was delightfully straight forward! We then discussed three basic rules of thumb that should act as guides for any information discovery, and mentioning along the way how each rule has a parallel in the world of physical search and seizure. We are now ready to bring things to a close by examining the final two stages - searching for and processing data evidence. So! Without further ado, let us tackle the remaining stages of information discovery...
04/05/2004
|
|
The Field Guide for Investigating Computer Crime, Part Seven: Information Discovery - Basics and Planning Earlier in the Field Guide for Investigating Computer Crime, we outlined the two major parts of our investigative methodology: search and seizure, and information discovery (for more the details, please see Overview of a Methodology for the Application of Computer Forensics). The previous installment in this series, Search and Seizure, Evidence Retrieval and Processing , concluded the overview of search and seizure with a discussion of the retrieval and processing of computer crime scene evidence. In this installment of the Field Guide for Investigating Computer Crime, we will begin our discussion of information discovery, the process of viewing log files, databases, and other data sources on unseized equipment, in order to find and analyze information that may be of importance to a computer crime investigation.
04/05/2004
|
|
The Field Guide for Investigating Computer Crime, Part Six: Search and Seizure - Evidence Retrieval and Processing In our last article,"Search and Seizure: Approach, Documentation, and Location" we saw how a team of investigators interacts with the computer crime scene during the stages of securing and documenting the crime scene, and searching for evidence. Up to this point, the process of search and seizure hasn't been overly cumbersome - below, the discussion of evidence retrieval and evidence processing will change this! Not to despair, though. As we mentioned in the second article,"Overview of a Methodology for the Application of Computer Forensics" , it is possible to streamline the effort of investigating computer crimes. For example, an organization might assign degrees of priority to cases, such that the most urgent cases require a full treatment by investigators, while the least urgent do not. The key here, is that an established policy governs the assignment of priorities to cases, and guides the investigative process accordingly.
04/05/2004
|
|
The Field Guide for Investigating Computer Crime: Search and Seizure Approach,Documentation, and Location Part Five In our last article, Search and Seizure Planning we examined the process of readying for a search and seizure. In particular, we looked at the importance of being prepared to document and handle evidence found a computer crime scene, and at the necessity of organizing investigators into a team of distinct roles and functions. With planning out of the way, it's time to take some action!
04/05/2004
|
|
The Field Guide for Investigating Computer Crime: Search and Seizure Planning Part Four In our last article, Search and Seizure Basics, we discussed six fundamental rules that an investigator should always have in mind when performing a search and seizure. Primarily, these rules are to help establish and safeguard the chain of custody for computer crime scene evidence. At this juncture, we're ready to look at the first stage of the search and seizure process: planning.
04/05/2004
|
|
A Case for Forensics Tools in Cross-Domain Data Transfers Corporate and government organizations dependence on computers and networks for storage and movement of data raises significant security issues. Two of these are movement of data across security domains (cross-domain) and computer reuse. The cross-domain transfer problem must address the contents of the file space as well as the contents of slack and free space. Three options are presented and discussed. One is selected as most practical and more fully discussed. Since this option involves the use of forensics software, a software tool is selected and its application discussed. The final discussion is protecting against inadvertent data compromise when reusing computers or salvaging them. Forensics software has a role here also.
04/05/2004
|
|
Analysis of a Secure Time Stamp Device This paper discusses the design of a Secure Time Stamp device used to securely timestamp digital data, such as computer documents, files, and raw binary data of arbitrary format. Thus, the device is used to prove two facts, Existence: That a file existed on a given date & time, and Data Integrity: That the file was not altered since the time it was stamped, These two facts are essential for a number of purposes, including but not limited to gathering and registering binary data to be used as forensic evidence, such as computer files, memory dumps, packet recorder data, security analysis logs, etc., Electronically “notarizing” the date and time of inventions and other time-critical documents, such as business plans, intellectual property, engineering documents, source code, contracts, etc., and Generating secure audit logs for financial transactions, crypto key generation and management, system management, etc.
04/04/2004
|
|
Deleting Sensitive Information: Why Hitting Delete Isn't Enough This article intends to show that the deletion of files cannot be left to the delete key if those files are supposed to be disposed of securely. It proves how simply files can be recovered both under Windows and Linux if necessary security policy has not been extended to include the deletion of sensitive data. Popular techniques from each OS will be highlighted and procedures shown as to how to recover a deleted file. The article will then show how to securely delete a file so that current software tools cannot recover them. The article also touches on more advanced techniques beyond the means of most end users that can recover even the most securely deleted files, proving just how difficult it can be to remove data without leaving a trace of it behind.
04/03/2004
|
|
Page: 1 2 345 |
