Post on 08-Feb-2016
description
Collection & Processing of
Electronic Information
25th, January; 2011
EDRM
Know Your Landscape
Questions:
Who are the “Players”? Secretaries/Executive Assistants? Network type Devices/Media Corporate Issue vs. Personal?
CollectionTraditional
Original HD
Bit-stream Imaging
Forensic Copy
Password Recovery
HASH
Signature Analysis
History
Extraction
Email Internet History Passwords
Network
Examples:
File Servers Server Farms
Issues:
Dynamic Geographical
Locations Size Use
Archival Media
Examples:
Tapes Hard Drives
Issues:
Reliability Archival Schemes Costs
Mobile Devices
Examples:
Cellular Phones Tablets GPS
Issues:
Ownership Channels
Cloud Computing
Examples:
Google Mail Google Docs MS Office Web Apps
Issues:
Ownership Geographical Collection
Social Media
Examples:
Facebook Twitter LinkedIn
Issues:
Ownership Geographical Collection
Forensic Imaging
Forensic Imaging:
the entire drive contents are imaged to a file and checksum values are calculated to verify the integrity (in court cases) of the image file (often referred to as a “hash value”).
Forensic images are acquired with the use of software tools. (Some hardware cloning tools have added forensic functionality.) – EnCase, FTK, DD, etc.
HASH – MD5 or SHA
Forensic Imaging
Data are stored in “bucket” like storage
Empty Empty EmptyData Data DataData Data
Data
UASpace
Forensic Imaging
Advantages Disadvantages
Relatively Inexpensive Intrusive
Complete Picture High Volumes
Essential to Investigation Privacy Issue
Forensic Imaging
Collection
Covert vs. Office Hour
Forensic Imaging vs. Logical File Imaging vs. Manual Collection
Chain of Custody
Collection
Media Collection Method
Desktop & Laptops Forensic Imaging
Server Computers Logical Copy
Online Data (Cloud Computing)
Hybrid?
Q&A
Kevin Lo
Email: klo@ffpl.caTwitter: kevin_loPhone: +1 (416) 926-4215