Well, I've started reading Digital Evidence and Computer Crime, and have gotten through the first two introductory chapters. They were, just that, very introductory. It's hard to find anything very interesting to talk about. The chapters covered definitions and just set the stage for later chapters. I have a feeling this book is going to cover aspects of specific cases and study what was found therein. I will like reading about the Electronic Communication and Privacy Act, as well as the Computer Fraud and Abuse Act in later chapters. Not having a great knowledge of the specific laws currently in place, that should make for a good read.
It was interesting to read some phrases were defined in these opening chapters. For example:
Hardware as contraband was defined as hardware used to intercept electronic communication. Which makes me wonder how www.thinkgeek.com can remain open when it sells a Key Katcher key logger.
The information as contraband section discussed how having encryption software was illegal in some states. This must be an old example, because, honestly any and every machine could be considered suspect. Maybe that was the intention.
Digital information as instrumentality was defined as programs used as a means for committing computer crimes. This made me think of the first time I met Rick Seeley as an undergraduate. During the conversation I mentioned using Knoppix for some task. He then gave me a strange look and quipped something about it being a hacking tool. Well, yes it was, but that wasn't exactly the purpose of the project. Yet, just having such a cd can look incriminating to some. Needless to say, I may have to figure out a good alibi for having Oophcrack, Kismat, Nmap, Desniff, Nessus, Netcat, Hping....et al all installed at home.
Digital information as evidence was really defined as the paper trail. No not T.I's latest album. Unless you obtained it via bittorrent, then yes that is evidence.
I've also made it through the first chapter of Guide to Computer Forensics and Investigations. Which really just discussed being an forensics professional. Most of what was covered seemed to be common sense. Topics included lawful search and seizure procedures, preparing for investigations, working in the private sector, having a working knowledge of multiple operating systems, becoming a part of different computer related user groups and organizations, etc.
What peaked my interest in this first chapter came about through one of the case studies. They described a case involving a murder investigation and the seizure of a computer containing evidence. Files were recovered off of the suspects computer that had been deleted and were timestamped prior to the murder which were then used during litigation to prove premeditation. Now, I've recovered data from drives in the past. However, I don't remember if the timestamp had been preserved. As, obviously, the timestamp didn't matter. The application used was a free Windows program called undelete. It simply scoured hard drives for files that had the pointers deleted but still remained in tact on the drive. Hopefully this and more topics will be discussed later in the book.
I haven't read much about network forensic work, but, I decided to play around with netcat this week. Doing some simple connections and file transfers. Seeing how netcat is the TCP/IP swiss army knife, I should get to know it! I did find how to use netcat to send a hard drive image across the network via: nc -w3 hostname port | dd of=/dev/hda. This could be handy in doing forensic analysis of a drive.
No comments:
Post a Comment