NAC, ID 2.0 and Other Top Issues
May 14, 2008, Washington, D.C.
Register now at no charge.
MEMBER LOGIN: PASSWORD:
Log-in Questions? Forgot/Change Password
 
 
The CSI View
Conferences & Events
Awareness & Training
Membership
About CSI
 
 

Introduction to End-to-End Digital Investigation

Peter Stephenson

Whereas forensic analysis techniques and products for computer media are now well established, the techniques for developing forensic evidence on networks are not yet nearly as rigorous or well defined.

This session explores the concept of a full end-to-end analysis of digital events. We will examine the underlying attack concepts, learn where we can search for evidence, and discover how we can correlate and normalize a chain of evidence across one or more networks and multiple network devices, including intermediate computers purloined by the attacker for the purpose of concealing his or her identity. We will discuss log analysis, correlation and normalization, the concept of a corroborated chain of evidence, and case preparation. We will end by examining methods for determining the probability that an attack actually occurred as well as methods for showing intent on the part of the attacker.

INTRODUCTION TO FORENSIC COMPUTER SCIENCE
  • Definitions and role of forensics
  • Expectations: what forensics can and cannot do
  • Overview of legal issues
BRIEF REVIEW OF DISK GEOMETRY AND DIFFERENT FILE SYSTEMS
  • DOS, Windows, Unix/Linux/etc.
  • Disk geometry and where to look for evidence
  • Limitations (RAID arrays, very large drives, etc.)
  • Intro to Unix crash-dump analysis
USE OF COMPUTER FORENSIC TOOLS - ENCASE FROM GUIDANCE SOFTWARE
  • Overview of the forensic process in computers
  • Overview of the tool
  • Live demo of case analysis using the tool to extract and document evidence
INTRODUCTION TO NETWORK FORENSICS
  • Definitions and Expectations
  • Overview of the network environment from a forensic perspective
THE INTRUSION PROCESS
  • How intruders succeed
  • What can be used as evidence/what we are looking for
ELEMENTS OF AN END-TO-END FORENSIC TRACE
  • The end-to-end concept
  • Where we will find good evidence
  • Pitfalls of network evidence collection
  • Event analysis
LOG ANALYSIS AND CORRELATION
  • Different types of logs, their locations and their uses
  • Reading logs - picking out the useful information
  • Correlating data from various log sources to get the whole picture
  • Developing log entries forensically from deleted or modified logs
  • Collecting logs from systems out of your control
END-TO-END EVIDENCE CORRELATION AND CASE PREPARATION—SOME NEW TECHNIQUES
  • Correlating network log data with computer forensic data and host/server logs
  • Establishing that an attack actually occurred - event analysis applied
  • Establishing premeditation in a network attack
  • Preparing a case for litigation and/or transfer to law enforcement

  
 
HOME   ABOUT   CONTACT US   Privacy Statement   Copyright © CMP Media LLC