Beruflich Dokumente
Kultur Dokumente
13-1
13-2
Chapter Objectives
After reading this chapter, students will be able to: Define computer forensics Respond to a computer forensics incident Harden security through new solutions List information security jobs and skills
Technical Notes
HANDS-ON PROJECTS Project 13-1 Project 13-2 Project 13-3 Project 13-4 Project 13-5 HARDWARE DEVICES REQUIRED Computer PC Computer PC Computer PC Computer PC Computer PC OPERATING SYSTEM REQUIRED Windows XP Windows XP Windows XP Windows XP Windows XP OTHER RESOURCES Microsoft Office Suite Internet connectivity Internet connectivity Internet connectivity Internet connectivity
This chapter should not be completed in one class session. It is recommended that you split the chapter into at least two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 3- to 6-hour period, plus any at-home exercises you wish to assign.
Quick Reference
Discuss the reasons why interest in computer forensics is heightened as described on page 447 of the text.
13-3
Quick Reference
Discuss the ways that computer forensics is different from standard investigations as shown on pages 447 through 449 of the text.
After retrieving the volatile data, the team focuses on the hard drive. A mirror image backup, also called a bitstream backup, is an evidence-grade backup because its accuracy meets evidence standards. Mirror image backups are considered a primary key to uncovering evidence because they create exact replicas of the computer contents at the crime scene.
Quick Reference
Discuss the criteria for mirror image backups as listed on pages 452 and 453 of the text.
13-4
Quick Quiz
1. 2. 3. 4. 5. ___________, or the application of science to questions that are of interest to the legal profession, is not limited to analyzing evidence from a murder scene, but can also be applied to technology. ANSWER: Forensic science One reason that computer forensics specialists have certain opportunities is due to the persistence of ___________. ANSWER: evidence ___________ the crime scene helps to document that the computer was working prior to the attack. ANSWER: Securing ___________ backups replicate all sectors of a computer hard drive, including all files and any hidden data storage areas. ANSWER: Mirror image The ___________ documents that the evidence was under strict control at all times and no unauthorized person was given the opportunity to corrupt the evidence. ANSWER: chain of custody
Quick Reference
Describe the characteristics of recent attacks as shown on pages 457 and 458 of the text. Also, describe some of the most recent developments and announcements as listed on pages 458 and 459 of the text.
13-5
Employment
The need for information security workers will continue to grow for the foreseeable future. Information security personnel are in short supply, and those that are in the field are being rewarded well. Security budgets have been spared the drastic cost-cutting that has plagued IT since 2001. One reason is that companies have recognized the high costs associated with weak security and have decided that prevention outweighs cleanup. Computer forensics specialists are critically needed.
Certification
Most industry experts agree that security certifications continue to be important. Preparing for the Security+ certification will help you solidify your knowledge and skills in cryptography, firewalls, and other important security defenses.
Job Skills
This section examines some of the most important skills that are demanded of information security workers.
Packets
Another important area of study regards packets. No matter how clever the attacker is, they still must send their attack to your computer with a packet. To recognize the abnormal, you must first understand what is normal.
Firewalls
Firewalls are essential tools on all networks and often provide a first layer of defense. Network security personnel should have a strong knowledge of how firewalls work, how to create access control lists (ACLs) to mirror the organizations security policy, and how to tweak ACLs to balance security with employee access.
Routers
Routers form the heart of a TCP/IP network. Configuring routers for both packet transfer and packet filtering can become very involved.
Other Skills
A programming background is another helpful tool for security workers. Security workers should also be familiar with penetration testing. Once known as ethical hacking, penetration testing probes the vulnerabilities in systems, networks, and applications.
13-6
Quick Reference
Discuss the additional level of training and skills as listed on page 462 of the text.
Quick Quiz
1. ___________ can range from 100 million bytes to over a gigabyte and can be temporary or permanent, depending on the version of Windows and settings selected by the computer user. ANSWER: Windows page files ___________ slack pertains only to the last sector of a file. ANSWER: RAM ___________ protects computers by recognizing when they are not acting normally. ANSWER: Behavior blocking ___________ are essential tools on all networks and often provide a first layer of defense. ANSWER: Firewalls ___________ probes the vulnerabilities in systems, networks, and applications. ANSWER: Penetration testing
2. 3. 4. 5.
Discussion Questions
1. 2. Why is programming such a valuable tool for security workers? Discuss several different strategies used for examining evidence.
Additional Activities
1. 2. Have students observe normal traffic flow along a network and then activate a sniffer. Once the sniffer is in place, have student chart the differences in network traffic. Have students take a sample Security+ exam and discuss the results.