Scribd
Upload
96 views42 pages

Lecture 1b Digital Forensic

Uploaded by

Abc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
96 views42 pages

Lecture 1b Digital Forensic

Uploaded by

Abc
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 42

Guide to Computer Forensics

and Investigations
Fourth Edition

Chapter 2
Understanding Computer
Investigations
Objectives

• Explain how to prepare a computer investigation


• Apply a systematic approach to an investigation
• Describe procedures for corporate high-tech
investigations
• Explain requirements for data recovery
workstations and software

Guide to Computer Forensics and Investigations 2


Preparing a Computer Investigation
• Role of computer forensics professional is to gather
evidence to prove that a suspect committed a
crime or violated a company policy
• Collect evidence that can be offered in court or at a
corporate inquiry
– Investigate the suspect’s computer
– Preserve the evidence on a different computer
• Follow an accepted procedure to prepare a case
• Chain of custody
– Route the evidence takes from the time you find it
until the case is closed or goes to court
Guide to Computer Forensics and Investigations 3
An Overview of a Computer Crime
• Computers can contain information that helps law
enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
• Law enforcement officers should follow proper
procedure when acquiring the evidence
– Digital evidence can be easily altered by an
overeager investigator
• Information on hard disks might be password
protected

Guide to Computer Forensics and Investigations 4


Examining a Computer Crime

Guide to Computer Forensics and Investigations 5


An Overview of a Company Policy
Violation

• Employees misusing resources can cost


companies millions of dollars
• Misuse includes:
– Surfing the Internet
– Sending personal e-mails
– Using company computers for personal tasks

Guide to Computer Forensics and Investigations 6


Taking a Systematic Approach

• Steps for problem solving


– Make an initial assessment about the type of case
you are investigating
– Determine a preliminary design or approach to the
case
– Create a detailed checklist
– Determine the resources you need
– Obtain and copy an evidence disk drive

Guide to Computer Forensics and Investigations 7


Taking a Systematic Approach
(continued)

• Steps for problem solving (continued)


– Identify the risks
– Mitigate or minimize the risks
– Test the design
– Analyze and recover the digital evidence
– Investigate the data you recover
– Complete the case report
– Critique the case

Guide to Computer Forensics and Investigations 8


Assessing the Case

• Systematically outline the case details


– Situation
– Nature of the case
– Specifics of the case
– Type of evidence
– Operating system
– Known disk format
– Location of evidence

Guide to Computer Forensics and Investigations 9


Assessing the Case (continued)

• Based on case details, you can determine the case


requirements
– Type of evidence
– Computer forensics tools
– Special operating systems

Guide to Computer Forensics and Investigations 10


Planning Your Investigation

• A basic investigation plan should include the


following activities:
– Acquire the evidence
– Complete an evidence form and establish a chain of
custody
– Transport the evidence to a computer forensics lab
– Secure evidence in an approved secure container

Guide to Computer Forensics and Investigations 11


Planning Your Investigation
(continued)

• A basic investigation plan (continued):


– Prepare a forensics workstation
– Obtain the evidence from the secure container
– Make a forensic copy of the evidence
– Return the evidence to the secure container
– Process the copied evidence with computer
forensics tools

Guide to Computer Forensics and Investigations 12


Planning Your Investigation
(continued)

• An evidence custody form helps you document


what has been done with the original evidence and
its forensics copies
• Two types
– Single-evidence form
• Lists each piece of evidence on a separate page
– Multi-evidence form

Guide to Computer Forensics and Investigations 13


Planning Your Investigation
(continued)

Guide to Computer Forensics and Investigations 14


Planning Your Investigation
(continued)

Guide to Computer Forensics and Investigations 15


Securing Your Evidence

• Use evidence bags to secure and catalog the


evidence
• Use computer safe products
– Antistatic bags
– Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
– Floppy disk or CD drives
– Power supply electrical cord

Guide to Computer Forensics and Investigations 16


Securing Your Evidence (continued)

• Write your initials on tape to prove that evidence


has not been tampered with
• Consider computer specific temperature and
humidity ranges

Guide to Computer Forensics and Investigations 17


Procedures for Corporate High-Tech
Investigations

• Develop formal procedures and informal checklists


– To cover all issues important to high-tech
investigations

Guide to Computer Forensics and Investigations 18


Employee Termination Cases

• Majority of investigative work for termination cases


involves employee abuse of corporate assets
• Internet abuse investigations
– To conduct an investigation you need:
• Organization’s Internet proxy server logs
• Suspect computer’s IP address
• Suspect computer’s disk drive
• Your preferred computer forensics analysis tool i.e.
ProDiscover,Forensic Toolkit,EnCase, X-Ways
Forensics,etc.

Guide to Computer Forensics and Investigations 19


Employee Termination Cases
(continued)
• Internet abuse investigations (continued)
– Recommended steps
• Use standard forensic analysis techniques and
procedures
• Use appropriate tools to extract all Web page URL
information
• Contact the network firewall administrator and request
a proxy server log
• Compare the data recovered from forensic analysis to
the proxy server log
• Continue analyzing the computer’s disk drive data

Guide to Computer Forensics and Investigations 20


Employee Termination Cases
(continued)
• E-mail abuse investigations
– To conduct an investigation you need:
• An electronic copy of the offending e-mail that
contains message header data
• If available, e-mail server log records
• For e-mail systems that store users’ messages on a
central server, access to the server
• Access to the computer so that you can perform a
forensic analysis on it
• Your preferred computer forensics analysis tool i.e
Forensic Toolkit or ProDiscover

Guide to Computer Forensics and Investigations 21


Employee Termination Cases
(continued)
• E-mail abuse investigations (continued)
– Recommended steps
• Use the standard forensic analysis techniques
• Obtain an electronic copy of the suspect’s and victim’s
e-mail folder or data
• For Web-based e-mail investigations, use tools such
as FTK’s Internet Keyword Search option to extract all
related e-mail address information
• Examine header data of all messages of interest to
the investigation

Guide to Computer Forensics and Investigations 22


Attorney-Client Privilege Investigations

• Under attorney-client privilege (ACP) rules for an


attorney
– You must keep all findings confidential
• Many attorneys like to have printouts of the data
you have recovered
– You need to persuade and educate many attorneys
on how digital evidence can be viewed electronically
• You can also encounter problems if you find data in
the form of binary files

Guide to Computer Forensics and Investigations 23


Attorney-Client Privilege Investigations
(continued)

• Steps for conducting an ACP case


– Request a memorandum from the attorney directing
you to start the investigation
– Request a list of keywords of interest to the
investigation
– Initiate the investigation and analysis
– For disk drive examinations, make two bit-stream
images using different tools
– Compare hash signatures on all files on the original
and re-created disks
Guide to Computer Forensics and Investigations 24
Attorney-Client Privilege Investigations
(continued)
• Steps for conducting an ACP case (continued)
– Methodically examine every portion of the disk drive
and extract all data
– Run keyword searches on allocated and unallocated
disk space
– For Windows OSs, use specialty tools to analyze and
extract data from the Registry
– For binary data files such as CAD drawings, locate the
correct software product
– For unallocated data recovery, use a tool that removes
or replaces nonprintable data

Guide to Computer Forensics and Investigations 25


Attorney-Client Privilege Investigations
(continued)

• Steps for conducting an ACP case (continued)


– Consolidate all recovered data from the evidence bit-
stream image into folders and subfolders
• Other guidelines
– Minimize written communications with the attorney
– Any documentation written to the attorney must
contain a header stating that it’s “Privileged Legal
Communication—Confidential Work Product”
– Assist attorney and paralegal in analyzing the data

Guide to Computer Forensics and Investigations 26


Attorney-Client Privilege Investigations
(continued)

• If you have difficulty complying with the directions


– Contact the attorney and explain the problem
• Always keep an open line of verbal communication
• If you’re communicating via e-mail, use encryption

Guide to Computer Forensics and Investigations 27


Media Leak Investigations

• In the corporate environment, controlling sensitive


data can be difficult
• Consider the following for media leak investigations
– Examine e-mail
– Examine Internet message boards
– Examine proxy server logs
– Examine known suspects’ workstations
– Examine all company telephone records

Guide to Computer Forensics and Investigations 28


Media Leak Investigations (consider)
• Steps to take for media leaks
– Interview management privately
• To get a list of employees who have direct knowledge
of the sensitive data
– Identify media source that published the information
– Review company phone records
– Obtain a list of keywords related to the media leak
– Perform keyword searches on proxy and e-mail
servers

Guide to Computer Forensics and Investigations 29


Media Leak Investigations (consider)

• Steps to take for media leaks (continued)


– Discreetly conduct forensic disk acquisitions and
analysis
– From the forensic disk examinations, analyze all e-
mail correspondence
• And trace any sensitive messages to other people
– Expand the discreet forensic disk acquisition and
analysis
– Consolidate and review your findings periodically
– Routinely report findings to management

Guide to Computer Forensics and Investigations 30


Industrial Espionage Investigations

• All suspected industrial espionage cases should be


treated as criminal investigations
• Staff needed
– Computing investigator who is responsible for disk
forensic examinations
– Technology specialist who is knowledgeable of the
suspected compromised technical data
– Network specialist who can perform log analysis and
set up network sniffers
– Threat assessment specialist (typically an attorney)

Guide to Computer Forensics and Investigations 31


Industrial Espionage Investigations
(continued)
• Guidelines
– Determine whether this investigation involves a
possible industrial espionage incident
– Consult with corporate attorneys and upper
management
– Determine what information is needed to
substantiate the allegation
– Generate a list of keywords for disk forensics and
sniffer monitoring
– List and collect resources for the investigation

Guide to Computer Forensics and Investigations 32


Industrial Espionage Investigations
(continued)
• Guidelines (continued)
– Determine goal and scope of the investigation
– Initiate investigation after approval from management
• Planning considerations
– Examine all e-mail of suspected employees
– Search Internet newsgroups or message boards
– Initiate physical surveillance
– Examine facility physical access logs for sensitive
areas

Guide to Computer Forensics and Investigations 33


Industrial Espionage Investigations
(continued)
• Planning considerations (continued)
– Determine suspect location in relation to the
vulnerable asset
– Study the suspect’s work habits
– Collect all incoming and outgoing phone logs
• Steps
– Gather all personnel assigned to the investigation
and brief them on the plan
– Gather resources to conduct the investigation

Guide to Computer Forensics and Investigations 34


Industrial Espionage Investigations
(continued)

• Steps (continued)
– Place surveillance systems
– Discreetly gather any additional evidence
– Collect all log data from networks and e-mail servers
– Report regularly to management and corporate
attorneys
– Review the investigation’s scope with management
and corporate attorneys

Guide to Computer Forensics and Investigations 35


Interviews and Interrogations in High-
Tech Investigations

• Becoming a skilled interviewer and interrogator can


take many years of experience
• Interview
– Usually conducted to collect information from a
witness or suspect
• About specific facts related to an investigation
• Interrogation
– Trying to get a suspect to confess

Guide to Computer Forensics and Investigations 36


Interviews and Interrogations in High-
Tech Investigations (continued)
• Role as a computing investigator
– To instruct the investigator conducting the interview
on what questions to ask
• And what the answers should be
• Ingredients for a successful interview or
interrogation
– Being patient throughout the session
– Repeating or rephrasing questions to zero in on
specific facts from a reluctant witness or suspect
– Being tenacious

Guide to Computer Forensics and Investigations 37


Understanding Data Recovery
Workstations and Software
• Investigations are conducted on a computer
forensics lab (or data-recovery lab)
• Computer forensics and data-recovery are related
but different
• Computer forensics workstation
– Specially configured personal computer
– Loaded with additional bays and forensics software
• To avoid altering the evidence use:
– Forensics boot floppy disk
– Write-blockers devices

Guide to Computer Forensics and Investigations 38


Setting Up your Computer for
Computer Forensics
• Basic requirements
– A workstation running Windows XP or Vista (minimum)
– A write-blocker device
– Computer forensics acquisition tool
– Computer forensics analysis tool
– Target drive to receive the source or suspect disk data
– Spare PATA (Parallel ATA) or SATA (Serial ATA) ports
– USB ports

Guide to Computer Forensics and Investigations 39


Setting Up your Computer for
Computer Forensics (continued)

• Additional useful items


– Network interface card (NIC)
– Extra USB ports
– FireWire 400/800 ports
– SCSI card
– Disk editor tool
– Text editor tool
– Graphics viewer program
– Other specialized viewing tools

Guide to Computer Forensics and Investigations 40


Summary
• Always use a systematic approach to your
investigations
• Always plan a case taking into account the nature
of the case, case requirements, and gathering
evidence techniques
• Both criminal cases and corporate-policy violations
can go to court
• Plan for contingencies for any problems you might
encounter
• Keep track of the chain of custody of your evidence

Guide to Computer Forensics and Investigations 41


Summary (continued)
• Internet and media leak investigations require
examining server log data
• For attorney-client privilege cases, all written
communication should remain confidential
• A bit-stream copy is a bit-by-bit duplicate of the
original disk
• Always maintain a journal to keep notes on exactly
what you did
• You should always critique your own work

Guide to Computer Forensics and Investigations 42

You might also like