Instructor’s Manual Materials to Accompany
COMPUTER SECURITY FUNDAMENTALS
CHAPTER 14
INTRODUCTION TO FORENSICS
CHAPTER 14 OBJECTIVES
When students finish reading this chapter, they will be able to:
• Understand basic forensics principles.
• Make a forensic copy of a drive.
• Use basic forensics tools.
.
CHAPTER OVERVIEW
This chapter covers the fundamentals of computer forensic including concepts, laws, and basic
techniques.
The major sections in this chapter are
1. General Guidelines
3. Finding Evidence in System Logs
5. Operating System Utilities
CHAPTER OUTLINE
I. Chapter 14 Objectives
II. Introduction
III. General Guidelines
a. Don’t Touch the Suspect Drive
b. Document Trail
c. Secure the Evidence
d. FBI Forensics Guidelines
e. Locard’s principle
f. Daubert
IV. Finding Evidence on the PC
a. Finding Evidence in the Browser
V. Finding Evidence in System Logs
a. Windows logs
b. Linux Logs
VI. Getting Back Deleted Files
Operating System Utilities
Net Sessions
Openfiles
Fc
Netstat
The Window Registry
VII. Mobile Forensics
VIII. Summary
IX. Test Your Skills
X. Exercises
XI. Projects
PROJECTS/EXERCISES
Exercise 14.1: DisKDigger
Exercise 14.2: Making a forensic copy
This exercise requires two computers. You must also download either Backtrack or Knoppix.
WEB RESOURCES
• United States Secret Service: http://www.secretservice.gov/ectf.shtml
CHAPTER REVIEW/Answers to test your skills
Multiple Choice Questions
1. How might an identity thief use the Internet to exploit her victim?
2. Which of the following is not an ideal place to seek phone numbers and addresses?
3. Why do you not want too much personal data about you on the Internet?
4. How could a hacker use information about you found through Internet searches?
5. If you hire a new employee, which of the following should you do?
6. Which of the following would be LEAST important to know about a potential business partner?
7. What information would provide the most accurate results for locating a person?
8. Of the Web sites listed in this chapter, which would be the most useful to obtain the address and
phone number of someone who does not live in the United States?
9. Where would you go to find various state sex offender registries?
10. What is most important to learn about a person listed in a sex offender registry?
11. Which Web search approach is best when checking criminal backgrounds?
12. What advantages are there to commercial web search services?
13. Which would you use to begin a search for information on a United States court case?
14. Which of the following is the most accurate description of Usenet?
15. Which of the following is the most helpful data you might get from Usenet on a person you are
investigating?
Exercises
EXERCISE 11.1: FINDING PHONE NUMBERS AND EXERCISE 11.2: CRIMINAL RECORDS CHECKS
These exercises are all procedural. Students should gather some information on the target. The challenge
EXERCISE 11.3: CHECKING COURT CASES AND EXERCISE 11.4: FINDING BUSINESS
INFORMATION ON USENET
EXERCISE 11.5: BLOCKING INFORMATION
To complete this exercise, students must delve a little deeper into the Web sites discussed as well as
perform some research to determine other means to block access to their personal information. The
Projects
PROJECT 11.1: INVESTIGATING A PERSON AND PROJECT 11.2: INVESTIGATING A COMPANY
With both of these projects, the key is to use multiple search modalities, in conjunction, to find accurate
PROJECT 11.3: THE ETHICS OF INVESTIGATION
There is no clear right or wrong answer in this project. Because this chapter has focused on techniques
Case Study
This case study requires students to bring together in one brief essay the elements involved in a logical
investigation of a potential employee. Although there are no absolute answers, successful students should
recognize that an investigation should begin with the broader-based Web sites and then be narrowed