Crim 218 Lecture Summaries
Jan 7th
Computer security is how to protect info, how to prevent wrong things from happening, how to
recover lost info
Digital forensics focused on events happen, how to detect what happens, evidence and provide a
and explanation to how you got from before the event to after the event
Digital forensic analyst
- Prepare evidence for criminal proceedings
- Those working with law enforcement focus on cybercrime
Cybercrime
- Any illegal activity that is computer based networks/devices
phishing, identity theft, extortion (malware is software that you don’t want, (ransomware),
and encrypts data on a computer, or prevent user from accessing machine at all has to pay
money in order to gain access).
1-Computer based crime
- Criminal activity based purely on use of computers (ransomware, spam)
2-Computer facilitated crime
- Crime conducted in the ‘real world’ but facilitated by use of computers (can happen
without computers, but makes it easier through computer equipment)
Addressing cybercrime- digital forensic analysts
Major component following appropriate standard of practice, investigation techniques
Many think that evidence is found and analyzed very quickly, but this is not the case.
- if you know the address form which a communication comes from, they need to find the
service provider, and then identify the IP address relevant. May not be a precise location
- most video evidence is grainy and loses definition when magnified
Computer-based evidence
Digital forensics aims to detect the presence of residual data
Computer based evidence is info/data of investigation value that is stored/transmitted by a
computer
- you need to have suitable software and equipment to make evidence available
- computer evidence is fragile and can be altered, damage, or destroyed
special precautions need to be taken to document, collect and preserve the evidence (if
done wrong, it could be inadmissible in court)
ACPO Guidelines
1) no one should change data on computer
2) if necessary to access original data, must be able to explain the relevance of evidence
, 3) audit trial/records of all processes applied to evidence should be created and preserved, so
3rd party can achieve same results
4) person in charge of investigation has overall responsibility that the guidelines are met
xxxzz
Secure and detect evidence
1) securing evidence (first action that is taken, is to make a copy of the data known as
imagined). MD5/SHA-1 hash is created to validate the data. All other searches/work
are done on the copy, never from the original
2) evidence is detected (using software tools, searches may focus on particular info)
Obstacles in digital forensics
1- quality of data
2- passwords
3- hidden data
4- data quantity (deleted data)
Jan 14th
Internet Protocol (IP) suite- supports a wide range of applications (internet, world wide web,
social networking)
each application has its own protocol ‘on top’ of the transport and network layers
All these applications have similar software operations to support it, and they all rely on TCP/IP.
(Transport Control Protocol) and (Internet Protocol). Is responsible to make sure all the packages
get there, in the right order. These are the standard, set of communication commands. This is the
software level
these info services use their own set of commands HTTP
HTTP means HyperText Transfer Protocol. HTTP is the underlying protocol used by the World
Wide Web and this protocol defines how messages are formatted and transmitted, and what
actions Web servers and browsers should take in response to various commands.
Internet Standards
Most standards on the internet are peer reviewed, so no single organization has ownership of
such standards.
- Internet standard docs are published as RFCs (referred for comments)
Client-server paradigm
Internet applications are designed to exchange info between local and remote (server) machines
(local machine sends request to remote machine). This is achieved by sending a request from a
suitable local software program to a corresponding remote software program.
The client- local system
The server- remote machine
,There are many different types of client services and client programs are normally specific (a
mail client would use Outlook Express).
Server
- Usually handle multiple requests over the network
- Are not intended for direct operation
- Run on more powerful machines
- Often many clients interact with each server
There is 1 server with many clients
Separate applications provide different info services, with 2 classes. User and Network
User services provide local users with access to remote info
Network services provide local applications with access to remote info
The DNS (Domain Name Service) and NTP (Network Time Protocol)
Routing Information Protocol (RIP)
It’s an example network info service that enables the exchange of info between programs across
a network. It’s used to create and maintain network route info among compliant routers.
This removes the need for manual updates each time a routing change is required
When a router learns about changes in its route from one of its neighbours (using RIP broadcast),
this info is relayed to other neighbouring routers so they also update their routing tables.
RIP enables routers to react automatically if a network component fails.
Dynamic routing- it can take account of changes and will try to get there even if there are issues
RIP message is carried in a UDP datagram if you’re sending a lot of traffic, some of the info
take different routes
Ports and Services
Multiple applications may be supported simultaneously on a networked machine. (One computer
could be running multiple services).
many network hosts run several network services eg. Sending an email and browsing the web.
Access to these spate services is managed by the network software. Software must identify
correct target serviced for any incoming request and also return the appropriate service response
to the correct client.
Ports (also numbers)- numbers that are used in addition to IP, in order to facilitate software to
software communication.
Managing these multiple services is accomplished by using different ‘ports’ for each service. A
port can be thought of as a channel. So an email request goes to one port, and a web browsing
request goes to another port.
ports allows the separation of outgoing requests to different remote targets
A request is always IP address and port number to another IP address and port number
- There can be more than 1 IP address
, A dotted quad- 4 numbers with dots in between- IP addresses format for IP address, largest
value is 255
Assigned ports- People will use specific port numbers for certain services, these port numbers
are assigned by the Internet Assigned Number Authority (IANA).
assigned ports use a small range of possible port numbers
For the convenience of knowing what port to use
Domain Name Service
DNS is another network information service that enables the exchange of info between programs
across a network. DNS is a layer that protects end users from IP addresses is meant to be
more user friendly
Goals: Is a consistent ‘naming scheme’ which will be used for referring to internet hosts. Names
should not be required to contain network addresses, routes etc.
Internet names and addresses- internet domain names have to be registered. DNS software
converts registered names to IP addresses, as with IP numbers, domain names uniquely identify a
network and can also identify specific network hosts (usually have 2 or more parts, separated by
dots).
- Domain names are geographical (first 2 letters indicate country)
- Most internet machines have a local name, and the full name is the local name prefixed
on the domain to which it belongs (fully qualified domain name)
ULP- upper layer protocol
Tutorial Questions:
What carries a RIP Message?
- UDP Datagram
What consists of a communication request?
- IP address and port number
What does RIP mean?
Routing Information Protocol
What consists of a fully qualified domain name?
- Local name and domain name
What is a dotted quad consist of?
- 4 numbers with dots in between, a way to write IP addresses
Do all RIP messages take the same route?
- No
Jan 7th
Computer security is how to protect info, how to prevent wrong things from happening, how to
recover lost info
Digital forensics focused on events happen, how to detect what happens, evidence and provide a
and explanation to how you got from before the event to after the event
Digital forensic analyst
- Prepare evidence for criminal proceedings
- Those working with law enforcement focus on cybercrime
Cybercrime
- Any illegal activity that is computer based networks/devices
phishing, identity theft, extortion (malware is software that you don’t want, (ransomware),
and encrypts data on a computer, or prevent user from accessing machine at all has to pay
money in order to gain access).
1-Computer based crime
- Criminal activity based purely on use of computers (ransomware, spam)
2-Computer facilitated crime
- Crime conducted in the ‘real world’ but facilitated by use of computers (can happen
without computers, but makes it easier through computer equipment)
Addressing cybercrime- digital forensic analysts
Major component following appropriate standard of practice, investigation techniques
Many think that evidence is found and analyzed very quickly, but this is not the case.
- if you know the address form which a communication comes from, they need to find the
service provider, and then identify the IP address relevant. May not be a precise location
- most video evidence is grainy and loses definition when magnified
Computer-based evidence
Digital forensics aims to detect the presence of residual data
Computer based evidence is info/data of investigation value that is stored/transmitted by a
computer
- you need to have suitable software and equipment to make evidence available
- computer evidence is fragile and can be altered, damage, or destroyed
special precautions need to be taken to document, collect and preserve the evidence (if
done wrong, it could be inadmissible in court)
ACPO Guidelines
1) no one should change data on computer
2) if necessary to access original data, must be able to explain the relevance of evidence
, 3) audit trial/records of all processes applied to evidence should be created and preserved, so
3rd party can achieve same results
4) person in charge of investigation has overall responsibility that the guidelines are met
xxxzz
Secure and detect evidence
1) securing evidence (first action that is taken, is to make a copy of the data known as
imagined). MD5/SHA-1 hash is created to validate the data. All other searches/work
are done on the copy, never from the original
2) evidence is detected (using software tools, searches may focus on particular info)
Obstacles in digital forensics
1- quality of data
2- passwords
3- hidden data
4- data quantity (deleted data)
Jan 14th
Internet Protocol (IP) suite- supports a wide range of applications (internet, world wide web,
social networking)
each application has its own protocol ‘on top’ of the transport and network layers
All these applications have similar software operations to support it, and they all rely on TCP/IP.
(Transport Control Protocol) and (Internet Protocol). Is responsible to make sure all the packages
get there, in the right order. These are the standard, set of communication commands. This is the
software level
these info services use their own set of commands HTTP
HTTP means HyperText Transfer Protocol. HTTP is the underlying protocol used by the World
Wide Web and this protocol defines how messages are formatted and transmitted, and what
actions Web servers and browsers should take in response to various commands.
Internet Standards
Most standards on the internet are peer reviewed, so no single organization has ownership of
such standards.
- Internet standard docs are published as RFCs (referred for comments)
Client-server paradigm
Internet applications are designed to exchange info between local and remote (server) machines
(local machine sends request to remote machine). This is achieved by sending a request from a
suitable local software program to a corresponding remote software program.
The client- local system
The server- remote machine
,There are many different types of client services and client programs are normally specific (a
mail client would use Outlook Express).
Server
- Usually handle multiple requests over the network
- Are not intended for direct operation
- Run on more powerful machines
- Often many clients interact with each server
There is 1 server with many clients
Separate applications provide different info services, with 2 classes. User and Network
User services provide local users with access to remote info
Network services provide local applications with access to remote info
The DNS (Domain Name Service) and NTP (Network Time Protocol)
Routing Information Protocol (RIP)
It’s an example network info service that enables the exchange of info between programs across
a network. It’s used to create and maintain network route info among compliant routers.
This removes the need for manual updates each time a routing change is required
When a router learns about changes in its route from one of its neighbours (using RIP broadcast),
this info is relayed to other neighbouring routers so they also update their routing tables.
RIP enables routers to react automatically if a network component fails.
Dynamic routing- it can take account of changes and will try to get there even if there are issues
RIP message is carried in a UDP datagram if you’re sending a lot of traffic, some of the info
take different routes
Ports and Services
Multiple applications may be supported simultaneously on a networked machine. (One computer
could be running multiple services).
many network hosts run several network services eg. Sending an email and browsing the web.
Access to these spate services is managed by the network software. Software must identify
correct target serviced for any incoming request and also return the appropriate service response
to the correct client.
Ports (also numbers)- numbers that are used in addition to IP, in order to facilitate software to
software communication.
Managing these multiple services is accomplished by using different ‘ports’ for each service. A
port can be thought of as a channel. So an email request goes to one port, and a web browsing
request goes to another port.
ports allows the separation of outgoing requests to different remote targets
A request is always IP address and port number to another IP address and port number
- There can be more than 1 IP address
, A dotted quad- 4 numbers with dots in between- IP addresses format for IP address, largest
value is 255
Assigned ports- People will use specific port numbers for certain services, these port numbers
are assigned by the Internet Assigned Number Authority (IANA).
assigned ports use a small range of possible port numbers
For the convenience of knowing what port to use
Domain Name Service
DNS is another network information service that enables the exchange of info between programs
across a network. DNS is a layer that protects end users from IP addresses is meant to be
more user friendly
Goals: Is a consistent ‘naming scheme’ which will be used for referring to internet hosts. Names
should not be required to contain network addresses, routes etc.
Internet names and addresses- internet domain names have to be registered. DNS software
converts registered names to IP addresses, as with IP numbers, domain names uniquely identify a
network and can also identify specific network hosts (usually have 2 or more parts, separated by
dots).
- Domain names are geographical (first 2 letters indicate country)
- Most internet machines have a local name, and the full name is the local name prefixed
on the domain to which it belongs (fully qualified domain name)
ULP- upper layer protocol
Tutorial Questions:
What carries a RIP Message?
- UDP Datagram
What consists of a communication request?
- IP address and port number
What does RIP mean?
Routing Information Protocol
What consists of a fully qualified domain name?
- Local name and domain name
What is a dotted quad consist of?
- 4 numbers with dots in between, a way to write IP addresses
Do all RIP messages take the same route?
- No
