SlideShare a Scribd company logo

Computer Forensics -Introduction and the details

Download as PPTX, PDF
S
ssuserec53e73

The document provides an overview of digital forensics, detailing its crucial role in law enforcement and the processes involved in collecting and analyzing electronic evidence from various sources. It distinguishes between public and private-sector investigations, emphasizing the importance of maintaining objectivity and following legal guidelines throughout the investigative process. Additionally, it outlines the technical requirements for conducting digital investigations, including workstation setup, evidence handling, and data analysis techniques.

Education
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
CADX 105 COMPUTER FORENSICS AND INVESTIGATION Module I
Overview of digital forensics • Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing, analysing, and reporting on data stored electronically. • Electronic evidence is a component of almost all criminal activities and digital forensics support is crucial for law enforcement investigations. • Electronic evidence can be collected from a wide array of sources, such as computers, smartphones, remote storage, unmanned aerial systems, shipborne equipment, and more. • The main goal of digital forensics is to extract data from the electronic evidence, process it into actionable intelligence and present the findings for prosecution. All processes utilize sound forensic techniques to ensure the findings are admissible in court.
• Forensics investigators often work as part of a team to secure an organization’s computers and networks. The digital investigation function can be viewed as part of a triad that makes up computing security. • Rapid progress in technology has resulted in an expansion of the skills needed and varies depending on the organization using practitioners in this field. Investigations triad are made up of these functions • Vulnerability/threat assessment and risk management • Network intrusion detection and incident response • Digital investigations
Computer Forensics -Introduction and the details
When you work in the vulnerability/threat assessment and risk management group, you test and verify the integrity of stand-alone workstations and network servers. This integrity check covers the physical security of systems and the security of operating systems (OSs) and applications. People working in this group (often known as penetration testers) test for vulnerabilities of OSs and applications used in the network and conduct authorized attacks on the network to assess vulnerabilities. Typically, people performing this task have several years of experience in system administration. Their job is to poke holes in the network to help an organization be better prepared for a real attack.
Professionals in the vulnerability assessment and risk management group also need skills in network intrusion detection and incident response . This group detects intruder attacks by using automated tools and monitoring network firewall logs. When an external attack is detected, the response team tracks, locates, and identifies the intrusion method and denies further access to the network. If an intruder launches an attack that causes damage or potential damage, this team collects the necessary evidence, which can be used for civil or criminal litigation against the intruder and to prevent future intrusions. If an internal user is engaged in illegal acts or policy violations, the network intrusion detection and incident response group might assist in locating the user. For example, someone at a community college sends e-mails containing a worm to other users on the network. The network team realizes the e-mails are coming from a node on the internal network, and the security team focuses on that node.
The digital investigations group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime. For complex casework, this group draws on resources from personnel in vulnerability assessment, risk management, and network intrusion detection and incident response. However, the digital investigations group typically resolves or terminates case investigations.
Digital Investigations Digital investigations can be categorized several ways. For the purposes of this discussion, however, they fall into two categories: • public-sector investigations • and private-sector investigations
Public-sector investigations • In general, public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Government agencies range from municipal, county, and state or provincial police departments to federal law enforcement agencies. These organizations must observe legal guidelines of their jurisdictions, such as Article 8 in the Charter of Rights of Canada and the Fourth Amendment to the U.S. Constitution restricting government search and seizure. The law of search and seizure in the United States protects the rights of people, including people suspected of crimes; as a digital forensics examiner, you must follow these laws. The Department of Justice (DOJ) updates information on computersearch and seizure regularly.
Private-sector investigations Private-sector investigations focus more on policy violations, such as not adhering to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. However, criminal acts, such as corporate espionage, can also occur. So although private-sector investigations often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case. If you follow good forensics procedures, the evidence found in your examinations can make the transition between civil and criminal cases.
Maintaining Professional Conduct As a professional, you must exhibit the highest level of professional behavior at all times. To do so, you must maintain objectivity and confidentiality during an investigation, expand your technical knowledge constantly, and conduct yourself with integrity. Maintaining objectivity means you form opinions based on your education, training, experience, and the evidence in your cases. Avoid making conclusions about your findings until you have exhausted all reasonable leads and considered the available facts. Your ultimate responsibility is to find relevant digital evidence. You must avoid prejudice or bias to maintain the integrity of your fact-finding in all investigations. For example, if you’re employed by an attorney, don’t allow the attorney’s agenda to dictate the outcome of your investigation. Your reputation depends on maintaining your objectivity.
Private-Sector High-Tech Investigations As an investigator, you need to develop formal procedures and informal checklists to cover all issues important to high-tech investigations. These procedures are necessary to ensure that correct techniques are used in an investigation. Use informal checklists to be certain that all evidence is collected and processed correctly. This section lists some sample procedures that digital investigators commonly use in private-sector high-tech investigations. Employee Termination Cases Most investigative work for termination cases involves employee abuse of company resources. Incidents that create a hostile work environment, such as viewing pornography in the workplace and sending inappropriate e-mails, are the predominant types of cases investigated. The following sections describe key points for conducting an investigation that might lead to an employee’s termination. Consulting with your organization’s general counsel and Human Resources Department for specific directions on how to handle these investigations is recommended.
• Internet Abuse Investigations The information in this section applies to an organization’s internal private network, not a public ISP. Consult with your organization’s general counsel after reviewing this list, and make changes according to their directions to build your own procedures. To conduct an investigation involving Internet abuse, you need the following: • The organization’s Internet proxy server logs • Suspect computer’s IP address obtained from your organization’s network administrator • Suspect computer’s disk drive • Your preferred digital forensics analysis tool
• E-mail Abuse Investigations E-mail investigations typically include spam, inappropriate and offensive message content, and harassment or threats. E-mail is subject to the same restrictions as other computer evidence data, in that an organization must have a defined policy, as described previously. The following list is what you need for an investigation involving e-mail abuse: • An electronic copy of the offending e-mail that contains message header data; consult with your e-mail server administrator • If available, e-mail server log records; consult with your e-mail server administrator to see whether they are available • For e-mail systems that store users’ messages on a central server, access to the server; consult with your e-mail server administrator • For e-mail systems that store users’ messages on a computer as an Outlook .pst or .ost file , for example, access to the computer so that you can perform a forensic analysis on it • Your preferred digital forensics analysis tool
• Attorney-Client Privilege Investigations When conducting a digital forensics analysis under attorney-client privilege (ACP) rules for an attorney, you must keep all findings confidential. The attorney you’re working for is the ultimate authority over the investigation. For investigations of this nature, attorneys typically request that you extract all data from drives. It’s your responsibility to comply with the attorney’s directions. Because of the large quantities of data a drive can contain, the attorney will want to know about everything of interest on the drives. Many attorneys like to have printouts of the data you have recovered, but printouts can pose problems when you have log files with several thousand pages of data or CAD drawing programs that can be read only by proprietary programs. You need to persuade and educate many attorneys on how digital evidence can be viewed electronically. In addition, learn how to teach attorneys and paralegals to sort through files so that you can help them efficiently analyze the huge amount of data a forensic examination produces.
• Industrial Espionage Investigations Industrial espionage cases can be time consuming and are subject to scope creep problems (meaning the investigation’s focus widens and becomes more time consuming). Unlike the other private-sector investigations covered in this section, all suspected industrial espionage cases should be treated as criminal investigations. The techniques described here are for private network environments and internal investigations that haven’t yet been reported to law enforcement officials. This list isn’t exhaustive, so use your knowledge to improve on these recommendations: • The digital investigator who’s responsible for disk forensic examinations • The technology specialist who is knowledgeable about the suspected compromised technical data • The network specialist who can perform log analysis and set up network monitors to trap network communication of possible suspects • The threat assessment specialist (typically an attorney) who’s familiar with federal and state laws and regulations related to ITAR or EAR and industrial espionage
Interviews and Interrogations in High-Tech Investigations • Becoming a skilled interviewer and interrogator can take many years of experience. Typically, a private-sector digital investigator is a technical person acquiring the evidence for an investigation. Many large organizations have full-time security investigators with years of training and experience in criminal and civil investigations and interviewing techniques. Few of these investigators have any computing or network technical skills, so you might be asked to assist in interviewing or interrogating a suspect when you have performed a forensic disk analysis on that suspect’s machine. • An interrogation is different from an interview. An interview is usually conducted to collect information from a witness or suspect about specific facts related to an investigation. An interrogation is the process of trying to get a suspect to confess to a specific incident or crime. An investigator might change from an interview to an interrogation when talking to a witness or suspect. The more experience and training investigators have in the art of interviewing and interrogating, the more easily they can determine whether a witness is credible and possibly a suspect. • Your role as a digital investigator is to instruct the investigator conducting the interview on what questions to ask and what the answers should be. As you build rapport with the investigator, he or she might ask you to question the suspect. Watching a skilled interrogator is a learning experience in human relations skills. If you’re asked to assist in an interview or interrogation, prepare yourself by answering the following questions: • What questions do I need to ask the suspect to get the vital information about the case? • Do I know what I’m talking about, or will I have to research the topic or technology • related to the investigation? • Do I need additional questions to cover other indirect issues related to the investigation?
Data Recovery Workstations and Software • In data recovery, typically, the customer or your company just wants the data back. The other key difference is that in data recovery, you usually know what you’re trying to retrieve. In digital forensics, you might have an idea of what you’re searching for, but not necessarily. • To conduct your investigation and analysis, you must have a specially configured PC known as a forensic workstation , which is a computer loaded with additional bays and forensics software. Depending on your needs, a forensic workstation can use the following operating systems: • MS-DOS 6.22 • Windows 95, 98, or Me • Windows NT 3.5 or 4.0 • Windows 2000, XP, Vista, 7, 8, or 10 • Linux • Mac OS X and macOS
• If you start any operating system while you’re examining a hard disk, the OS alters the evidence disk by writing data to the Recycle Bin and corrupts the quality and integrity of the evidence you’re trying to preserve. • With the continued evolution of Microsoft OSs, it’s not always practical to use older MS-DOS platforms, however. Many older digital forensics acquisition tools work in the MS-DOS environment. These tools can operate from an MS-DOS window in Windows 98 or from the command prompt in Windows 2000 and later. Some of their functions are disabled or generate error messages when run in these OSs, however. • Newer file system formats, such as NTFS, are accessible—that is, readable—only from Windows NT and later or any Linux OS. You can use one of several write- blockers that enable you to boot to Windows without writing data to the evidence drive.
Setting Up Your Workstation for Digital Forensics • With current digital forensics hardware and software, configuring a computer workstation or laptop as a forensic workstation is simple. All that’s required are the following: • A workstation running Windows 7 or later • A write-blocker device • Digital forensics acquisition tool • Digital forensics analysis tool • A target drive to receive the source or suspect disk data • Spare PATA and SATA ports • PATA stands for Parallel Advanced Technology Attachment which is a bus interface used for connecting secondary storage devices like hard disks, optical drives. It was first introduced in the year 1986 by Western Digital and Compaq. It was later replaced by SATA. • SATA stands for Serial Advanced Technology Attachment is a bus interface that connects hard disks, optical drives. It was introduced in 2001 after PATA was slowly declining its demand by Serial ATA Working Group. SATA has more advantages than PATA making its demand more. • USB ports
• Additional useful items include the following: • Network interface card (NIC) • Extra USB ports • FireWire 400/800 ports • SCSI card • Disk editor tool • Text editor tool • Graphics viewer program • Other specialized viewing tools
Conducting an Investigation Start by gathering the resources you identified in your investigation plan. You need the following items: • Original storage media • Evidence custody form • Evidence container for the storage media, such as an evidence bag • Bit-stream imaging tool; in this case, FTK Imager Lite • Forensic workstation to copy and examine the evidence • Secure evidence locker, cabinet, or safe
Gathering the Evidence 1. Arrange to meet the IT manager to interview him and pick up the storage media. 2. After interviewing the IT manager, fill out the evidence form, have him sign it, and then sign it yourself. 3. Store the storage media in an evidence bag, and then transport it to your forensic facility. 4. Carry the evidence to a secure container, such as a locker, cabinet, or safe. 5. Complete the evidence custody form. As mentioned, if you’re using a multi-evidenceform, you can store the form in the file folder for the case. 6. If you’re also using single evidence forms, store them in the secure container with the evidence. Reduce the risk of tampering by limiting access to the forms. 7. Secure the evidence by locking the container.
Understanding Bit-stream Copies • A bit-stream copy is a bit-by-bit copy (also known as a “forensic copy”) of the original drive or storage medium and is an exact duplicate. The more exact the copy, the better chance you have of retrieving the evidence you need from the disk. This process is usually referred to as “acquiring an image” or “making an image” of a suspect drive. A bit-stream copy is different from a simple backup copy of a disk. Backup software can copy or compress only files that are stored in a folder or are of a known file type. Backup software can’t copy deleted files and emails or recover file fragments. • A bit-stream image is the file containing the bit-stream copy of all data on a disk or disk partition. For simplicity, it’s usually referred to as an “image,” “image save,” or “image file.” To create an exact image of an evidence disk, copying the image to a target disk that’s identical to the evidence disk is preferable (Figure 1-11). The target disk’s manufacturer and model, in general, should be the same as the original disk’s manufacturer and model. If the target disk is identical to the original, the size in bytes and sectors of both disks should also be the same. Some image acquisition tools can accommodate a target disk that’s a different size than the original. Older digital forensics tools designed for MS-DOS work only on a copied disk. Current GUI tools can work on both a disk drive and copied data sets that many manufacturers refer to as “image saves.”
Acquiring an Image of Evidence Media • After you retrieve and secure the evidence, you’re ready to copy the evidence media and analyze the data. The first rule of digital forensics is to preserve the original evidence. Then conduct your analysis only on a copy of the data—the image of the original medium. Several vendors offer Windows and Linux acquisition tools. These tools, however, require a writeblocking device
Analyzing Your Digital Evidence • When you analyze digital evidence, your job is to recover the data. If users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. • Remember that as files are deleted, the space they occupied becomes free space—meaning it can be used for new files that are saved or files that expand as data is added to them. • The files that were deleted are still on the disk until a new file is saved to the same physical location, overwriting the original file. In the meantime, those files can still be retrieved. Forensics tools such as Autopsy can retrieve deleted files for use as evidence
The next step is analyzing the data and searching for information related to the complaint. Data analysis can be the most time-consuming task, even when you know exactly what to look for in the evidence. The method for locating evidentiary artifacts is to search for specific known data values. Data values can be unique words or nonprintable characters, such as hexadecimal codes. There are also printable character codes that can’t be generated from a keyboard, such as the copyright (©) or registered trademark (™) symbols. Many digital forensics programs can search for character strings (letters and numbers) and hexadecimal values, such as 0xA9 for the copyright symbol or 0xAE for the registered trademark symbol. All these searchable data values are referred to as “keywords.”
Completing the Case After analyzing the disk, you can retrieve deleted files, e-mail, and items that have been purposefully hidden, The files on George’s USB drive indicate that he was conducting a side business on his company computer. Now that you have retrieved and analyzed the evidence, you need to find the answers to the following questions to write the final report: • How did George’s manager acquire the disk? • Did George perform the work on a laptop, which is his own property? If so, did he conduct business transactions on his break or during his lunch hour? • At what times of the day was George using the non-work-related files? How did you retrieve this information? • Which company policies apply? • Are there any other items that need to be considered?
• When you write your report, state what you did and what you found. The report you generate with a forensics tool gives an account of the steps you took. As part of your final report, depending on guidance from management or legal counsel, include this report file to document your work. In any digital investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as repeatable findings without it, your work product has no value as evidence.
Critiquing the Case After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and critique the case in an effort to improve your work. Ask yourself assessment questions such as the following: • How could you improve your performance in the case? • Did you expect the results you found? Did the case develop in ways you did not expect? • Was the documentation as thorough as it could have been? • What feedback has been received from the requesting source? • Did you discover any new problems? If so, what are they? • Did you use new techniques during the case or during research? Make notes to yourself in your journal about techniques or processes that might need to be changed or addressed in future investigations. Then store your journal in a secure place.

More Related Content

PDF
cyber forensics notes presentation chp1.pdf
anupamapadhi04
 
PPTX
Introduction to Cyber Forensics Module 1
Anpumathews
 
PPT
Cyber Security Isaca Bglr Presentation 24th July
Firoze Hussain
 
PPTX
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
PPT
Cyber Security 1215
Firoze Hussain
 
PPT
164199724-Introduction-To-Digital-Forensics-ppt.ppt
harshbj1801
 
PPTX
Guide to Computer Forencis and investigations
BurhanKhan774154
 
PPTX
guide to computer forensics and investigation
karunakaran391109
 
cyber forensics notes presentation chp1.pdf
anupamapadhi04
 
Introduction to Cyber Forensics Module 1
Anpumathews
 
Cyber Security Isaca Bglr Presentation 24th July
Firoze Hussain
 
unit 5 understanding computer forensics.pptx
Dimple Relekar
 
Cyber Security 1215
Firoze Hussain
 
164199724-Introduction-To-Digital-Forensics-ppt.ppt
harshbj1801
 
Guide to Computer Forencis and investigations
BurhanKhan774154
 
guide to computer forensics and investigation
karunakaran391109
 

Similar to Computer Forensics -Introduction and the details (20)

PPTX
DIGITAL FORENSICS, MULTIMEDIA AND INCIDENT RESPONSE.pptx
sreejithskumar190702
 
PPT
cyber forensics - TYPES OF CYBER FORENSICS.ppt
mcjaya2024
 
PPTX
Cyber forensic-Evedidence collection tools
N.Jagadish Kumar
 
PDF
Daniel_CISSP_Dom7__1_.pdf
Alejandro Daricz
 
PPT
Digital Evidence - the defence, prosecution, & the court
Cell Site Analysis (CSA)
 
PPTX
Digital Forensics: Concept, Stages, Guidelines, Techniques, and Data Recovery
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
PPTX
MODULE-1 Understanding the Digital Forensics Profession and Investigations-PP...
andrewvivan981
 
PPTX
Cyber
PuttaRahul
 
PPT
Secure Computer Forensics and its tools
Kathirvel Ayyaswamy
 
PPT
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
PPTX
cyberlaws and cyberforensics,biometrics
Mayank Diwakar
 
PPTX
Introduction to computer forensics in IT society
norhasiahakhir1
 
PPTX
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
DOCX
Malware analysis
Anne ndolo
 
PDF
isc2 CISSP Domain 07 Security Operations.pdf
gealehegn
 
PPT
Digital forensics
Nicholas Davis
 
PPT
Digital Forensics
Nicholas Davis
 
PPTX
ppt for Module 5 cybersecuirty_023501.pptx
MayuraD1
 
PPSX
CYBER - LAW3......................................
archjyotisingh
 
PDF
III year VI sem CYber forensics material
prakashv818087
 
DIGITAL FORENSICS, MULTIMEDIA AND INCIDENT RESPONSE.pptx
sreejithskumar190702
 
cyber forensics - TYPES OF CYBER FORENSICS.ppt
mcjaya2024
 
Cyber forensic-Evedidence collection tools
N.Jagadish Kumar
 
Daniel_CISSP_Dom7__1_.pdf
Alejandro Daricz
 
Digital Evidence - the defence, prosecution, & the court
Cell Site Analysis (CSA)
 
Digital Forensics: Concept, Stages, Guidelines, Techniques, and Data Recovery
Godwin Emmanuel Oyedokun MBA MSc PhD FCA FCTI FCNA CFE FFAR
 
MODULE-1 Understanding the Digital Forensics Profession and Investigations-PP...
andrewvivan981
 
Cyber
PuttaRahul
 
Secure Computer Forensics and its tools
Kathirvel Ayyaswamy
 
Lecture2 Introduction to Digital Forensics.ppt
Surajgroupsvideo
 
cyberlaws and cyberforensics,biometrics
Mayank Diwakar
 
Introduction to computer forensics in IT society
norhasiahakhir1
 
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
Malware analysis
Anne ndolo
 
isc2 CISSP Domain 07 Security Operations.pdf
gealehegn
 
Digital forensics
Nicholas Davis
 
Digital Forensics
Nicholas Davis
 
ppt for Module 5 cybersecuirty_023501.pptx
MayuraD1
 
CYBER - LAW3......................................
archjyotisingh
 
III year VI sem CYber forensics material
prakashv818087
 
Ad

More from ssuserec53e73 (9)

PPT
inheritance of java...basics of java in ppt
ssuserec53e73
 
PPTX
Query Processing in Database mgmt system
ssuserec53e73
 
PPTX
Health care Analytics-Module 3-CADX150..
ssuserec53e73
 
PPTX
Health care Analytics-Module 1-CADX150..
ssuserec53e73
 
PPTX
Computer Forensics and investigation module 3
ssuserec53e73
 
PPTX
Module 3 continuation of computer forensic
ssuserec53e73
 
PPT
data acquisition in computer forensics and
ssuserec53e73
 
PDF
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
ssuserec53e73
 
PPT
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73
 
inheritance of java...basics of java in ppt
ssuserec53e73
 
Query Processing in Database mgmt system
ssuserec53e73
 
Health care Analytics-Module 3-CADX150..
ssuserec53e73
 
Health care Analytics-Module 1-CADX150..
ssuserec53e73
 
Computer Forensics and investigation module 3
ssuserec53e73
 
Module 3 continuation of computer forensic
ssuserec53e73
 
data acquisition in computer forensics and
ssuserec53e73
 
DLF-Microprocessor_02_2017-18 SAE2B microprocessor
ssuserec53e73
 
COMPUTER FORENSICS MODULE III of unit 3.ppt
ssuserec53e73
 
Ad

Recently uploaded (20)

PDF
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PDF
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
Presentation on HIE in infants and its manifestations
joghikamal786
 
PPTX
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
grade 11-chemistry_fetena_net_5883.pdf teacher guide for all student
banteamlakmebratu738
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Institutional Correction lecture only . . .
limvtheghins
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
A GUIDE TO GENETICS FOR UNDERGRADUATE MEDICAL STUDENTS
DrBincy A. S
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Presentation on HIE in infants and its manifestations
joghikamal786
 
Introduction-to-Literarature-and-Literary-Studies-week-Prelim-coverage.pptx
EricaRamos80
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 

Computer Forensics -Introduction and the details

  • 1. CADX 105 COMPUTER FORENSICS AND INVESTIGATION Module I
  • 2. Overview of digital forensics • Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing, analysing, and reporting on data stored electronically. • Electronic evidence is a component of almost all criminal activities and digital forensics support is crucial for law enforcement investigations. • Electronic evidence can be collected from a wide array of sources, such as computers, smartphones, remote storage, unmanned aerial systems, shipborne equipment, and more. • The main goal of digital forensics is to extract data from the electronic evidence, process it into actionable intelligence and present the findings for prosecution. All processes utilize sound forensic techniques to ensure the findings are admissible in court.
  • 3. • Forensics investigators often work as part of a team to secure an organization’s computers and networks. The digital investigation function can be viewed as part of a triad that makes up computing security. • Rapid progress in technology has resulted in an expansion of the skills needed and varies depending on the organization using practitioners in this field. Investigations triad are made up of these functions • Vulnerability/threat assessment and risk management • Network intrusion detection and incident response • Digital investigations
  • 5. When you work in the vulnerability/threat assessment and risk management group, you test and verify the integrity of stand-alone workstations and network servers. This integrity check covers the physical security of systems and the security of operating systems (OSs) and applications. People working in this group (often known as penetration testers) test for vulnerabilities of OSs and applications used in the network and conduct authorized attacks on the network to assess vulnerabilities. Typically, people performing this task have several years of experience in system administration. Their job is to poke holes in the network to help an organization be better prepared for a real attack.
  • 6. Professionals in the vulnerability assessment and risk management group also need skills in network intrusion detection and incident response . This group detects intruder attacks by using automated tools and monitoring network firewall logs. When an external attack is detected, the response team tracks, locates, and identifies the intrusion method and denies further access to the network. If an intruder launches an attack that causes damage or potential damage, this team collects the necessary evidence, which can be used for civil or criminal litigation against the intruder and to prevent future intrusions. If an internal user is engaged in illegal acts or policy violations, the network intrusion detection and incident response group might assist in locating the user. For example, someone at a community college sends e-mails containing a worm to other users on the network. The network team realizes the e-mails are coming from a node on the internal network, and the security team focuses on that node.
  • 7. The digital investigations group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime. For complex casework, this group draws on resources from personnel in vulnerability assessment, risk management, and network intrusion detection and incident response. However, the digital investigations group typically resolves or terminates case investigations.
  • 8. Digital Investigations Digital investigations can be categorized several ways. For the purposes of this discussion, however, they fall into two categories: • public-sector investigations • and private-sector investigations
  • 9. Public-sector investigations • In general, public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Government agencies range from municipal, county, and state or provincial police departments to federal law enforcement agencies. These organizations must observe legal guidelines of their jurisdictions, such as Article 8 in the Charter of Rights of Canada and the Fourth Amendment to the U.S. Constitution restricting government search and seizure. The law of search and seizure in the United States protects the rights of people, including people suspected of crimes; as a digital forensics examiner, you must follow these laws. The Department of Justice (DOJ) updates information on computersearch and seizure regularly.
  • 10. Private-sector investigations Private-sector investigations focus more on policy violations, such as not adhering to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. However, criminal acts, such as corporate espionage, can also occur. So although private-sector investigations often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case. If you follow good forensics procedures, the evidence found in your examinations can make the transition between civil and criminal cases.
  • 11. Maintaining Professional Conduct As a professional, you must exhibit the highest level of professional behavior at all times. To do so, you must maintain objectivity and confidentiality during an investigation, expand your technical knowledge constantly, and conduct yourself with integrity. Maintaining objectivity means you form opinions based on your education, training, experience, and the evidence in your cases. Avoid making conclusions about your findings until you have exhausted all reasonable leads and considered the available facts. Your ultimate responsibility is to find relevant digital evidence. You must avoid prejudice or bias to maintain the integrity of your fact-finding in all investigations. For example, if you’re employed by an attorney, don’t allow the attorney’s agenda to dictate the outcome of your investigation. Your reputation depends on maintaining your objectivity.
  • 12. Private-Sector High-Tech Investigations As an investigator, you need to develop formal procedures and informal checklists to cover all issues important to high-tech investigations. These procedures are necessary to ensure that correct techniques are used in an investigation. Use informal checklists to be certain that all evidence is collected and processed correctly. This section lists some sample procedures that digital investigators commonly use in private-sector high-tech investigations. Employee Termination Cases Most investigative work for termination cases involves employee abuse of company resources. Incidents that create a hostile work environment, such as viewing pornography in the workplace and sending inappropriate e-mails, are the predominant types of cases investigated. The following sections describe key points for conducting an investigation that might lead to an employee’s termination. Consulting with your organization’s general counsel and Human Resources Department for specific directions on how to handle these investigations is recommended.
  • 13. • Internet Abuse Investigations The information in this section applies to an organization’s internal private network, not a public ISP. Consult with your organization’s general counsel after reviewing this list, and make changes according to their directions to build your own procedures. To conduct an investigation involving Internet abuse, you need the following: • The organization’s Internet proxy server logs • Suspect computer’s IP address obtained from your organization’s network administrator • Suspect computer’s disk drive • Your preferred digital forensics analysis tool
  • 14. • E-mail Abuse Investigations E-mail investigations typically include spam, inappropriate and offensive message content, and harassment or threats. E-mail is subject to the same restrictions as other computer evidence data, in that an organization must have a defined policy, as described previously. The following list is what you need for an investigation involving e-mail abuse: • An electronic copy of the offending e-mail that contains message header data; consult with your e-mail server administrator • If available, e-mail server log records; consult with your e-mail server administrator to see whether they are available • For e-mail systems that store users’ messages on a central server, access to the server; consult with your e-mail server administrator • For e-mail systems that store users’ messages on a computer as an Outlook .pst or .ost file , for example, access to the computer so that you can perform a forensic analysis on it • Your preferred digital forensics analysis tool
  • 15. • Attorney-Client Privilege Investigations When conducting a digital forensics analysis under attorney-client privilege (ACP) rules for an attorney, you must keep all findings confidential. The attorney you’re working for is the ultimate authority over the investigation. For investigations of this nature, attorneys typically request that you extract all data from drives. It’s your responsibility to comply with the attorney’s directions. Because of the large quantities of data a drive can contain, the attorney will want to know about everything of interest on the drives. Many attorneys like to have printouts of the data you have recovered, but printouts can pose problems when you have log files with several thousand pages of data or CAD drawing programs that can be read only by proprietary programs. You need to persuade and educate many attorneys on how digital evidence can be viewed electronically. In addition, learn how to teach attorneys and paralegals to sort through files so that you can help them efficiently analyze the huge amount of data a forensic examination produces.
  • 16. • Industrial Espionage Investigations Industrial espionage cases can be time consuming and are subject to scope creep problems (meaning the investigation’s focus widens and becomes more time consuming). Unlike the other private-sector investigations covered in this section, all suspected industrial espionage cases should be treated as criminal investigations. The techniques described here are for private network environments and internal investigations that haven’t yet been reported to law enforcement officials. This list isn’t exhaustive, so use your knowledge to improve on these recommendations: • The digital investigator who’s responsible for disk forensic examinations • The technology specialist who is knowledgeable about the suspected compromised technical data • The network specialist who can perform log analysis and set up network monitors to trap network communication of possible suspects • The threat assessment specialist (typically an attorney) who’s familiar with federal and state laws and regulations related to ITAR or EAR and industrial espionage
  • 17. Interviews and Interrogations in High-Tech Investigations • Becoming a skilled interviewer and interrogator can take many years of experience. Typically, a private-sector digital investigator is a technical person acquiring the evidence for an investigation. Many large organizations have full-time security investigators with years of training and experience in criminal and civil investigations and interviewing techniques. Few of these investigators have any computing or network technical skills, so you might be asked to assist in interviewing or interrogating a suspect when you have performed a forensic disk analysis on that suspect’s machine. • An interrogation is different from an interview. An interview is usually conducted to collect information from a witness or suspect about specific facts related to an investigation. An interrogation is the process of trying to get a suspect to confess to a specific incident or crime. An investigator might change from an interview to an interrogation when talking to a witness or suspect. The more experience and training investigators have in the art of interviewing and interrogating, the more easily they can determine whether a witness is credible and possibly a suspect. • Your role as a digital investigator is to instruct the investigator conducting the interview on what questions to ask and what the answers should be. As you build rapport with the investigator, he or she might ask you to question the suspect. Watching a skilled interrogator is a learning experience in human relations skills. If you’re asked to assist in an interview or interrogation, prepare yourself by answering the following questions: • What questions do I need to ask the suspect to get the vital information about the case? • Do I know what I’m talking about, or will I have to research the topic or technology • related to the investigation? • Do I need additional questions to cover other indirect issues related to the investigation?
  • 18. Data Recovery Workstations and Software • In data recovery, typically, the customer or your company just wants the data back. The other key difference is that in data recovery, you usually know what you’re trying to retrieve. In digital forensics, you might have an idea of what you’re searching for, but not necessarily. • To conduct your investigation and analysis, you must have a specially configured PC known as a forensic workstation , which is a computer loaded with additional bays and forensics software. Depending on your needs, a forensic workstation can use the following operating systems: • MS-DOS 6.22 • Windows 95, 98, or Me • Windows NT 3.5 or 4.0 • Windows 2000, XP, Vista, 7, 8, or 10 • Linux • Mac OS X and macOS
  • 19. • If you start any operating system while you’re examining a hard disk, the OS alters the evidence disk by writing data to the Recycle Bin and corrupts the quality and integrity of the evidence you’re trying to preserve. • With the continued evolution of Microsoft OSs, it’s not always practical to use older MS-DOS platforms, however. Many older digital forensics acquisition tools work in the MS-DOS environment. These tools can operate from an MS-DOS window in Windows 98 or from the command prompt in Windows 2000 and later. Some of their functions are disabled or generate error messages when run in these OSs, however. • Newer file system formats, such as NTFS, are accessible—that is, readable—only from Windows NT and later or any Linux OS. You can use one of several write- blockers that enable you to boot to Windows without writing data to the evidence drive.
  • 20. Setting Up Your Workstation for Digital Forensics • With current digital forensics hardware and software, configuring a computer workstation or laptop as a forensic workstation is simple. All that’s required are the following: • A workstation running Windows 7 or later • A write-blocker device • Digital forensics acquisition tool • Digital forensics analysis tool • A target drive to receive the source or suspect disk data • Spare PATA and SATA ports • PATA stands for Parallel Advanced Technology Attachment which is a bus interface used for connecting secondary storage devices like hard disks, optical drives. It was first introduced in the year 1986 by Western Digital and Compaq. It was later replaced by SATA. • SATA stands for Serial Advanced Technology Attachment is a bus interface that connects hard disks, optical drives. It was introduced in 2001 after PATA was slowly declining its demand by Serial ATA Working Group. SATA has more advantages than PATA making its demand more. • USB ports
  • 21. • Additional useful items include the following: • Network interface card (NIC) • Extra USB ports • FireWire 400/800 ports • SCSI card • Disk editor tool • Text editor tool • Graphics viewer program • Other specialized viewing tools
  • 22. Conducting an Investigation Start by gathering the resources you identified in your investigation plan. You need the following items: • Original storage media • Evidence custody form • Evidence container for the storage media, such as an evidence bag • Bit-stream imaging tool; in this case, FTK Imager Lite • Forensic workstation to copy and examine the evidence • Secure evidence locker, cabinet, or safe
  • 23. Gathering the Evidence 1. Arrange to meet the IT manager to interview him and pick up the storage media. 2. After interviewing the IT manager, fill out the evidence form, have him sign it, and then sign it yourself. 3. Store the storage media in an evidence bag, and then transport it to your forensic facility. 4. Carry the evidence to a secure container, such as a locker, cabinet, or safe. 5. Complete the evidence custody form. As mentioned, if you’re using a multi-evidenceform, you can store the form in the file folder for the case. 6. If you’re also using single evidence forms, store them in the secure container with the evidence. Reduce the risk of tampering by limiting access to the forms. 7. Secure the evidence by locking the container.
  • 24. Understanding Bit-stream Copies • A bit-stream copy is a bit-by-bit copy (also known as a “forensic copy”) of the original drive or storage medium and is an exact duplicate. The more exact the copy, the better chance you have of retrieving the evidence you need from the disk. This process is usually referred to as “acquiring an image” or “making an image” of a suspect drive. A bit-stream copy is different from a simple backup copy of a disk. Backup software can copy or compress only files that are stored in a folder or are of a known file type. Backup software can’t copy deleted files and emails or recover file fragments. • A bit-stream image is the file containing the bit-stream copy of all data on a disk or disk partition. For simplicity, it’s usually referred to as an “image,” “image save,” or “image file.” To create an exact image of an evidence disk, copying the image to a target disk that’s identical to the evidence disk is preferable (Figure 1-11). The target disk’s manufacturer and model, in general, should be the same as the original disk’s manufacturer and model. If the target disk is identical to the original, the size in bytes and sectors of both disks should also be the same. Some image acquisition tools can accommodate a target disk that’s a different size than the original. Older digital forensics tools designed for MS-DOS work only on a copied disk. Current GUI tools can work on both a disk drive and copied data sets that many manufacturers refer to as “image saves.”
  • 25. Acquiring an Image of Evidence Media • After you retrieve and secure the evidence, you’re ready to copy the evidence media and analyze the data. The first rule of digital forensics is to preserve the original evidence. Then conduct your analysis only on a copy of the data—the image of the original medium. Several vendors offer Windows and Linux acquisition tools. These tools, however, require a writeblocking device
  • 26. Analyzing Your Digital Evidence • When you analyze digital evidence, your job is to recover the data. If users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. • Remember that as files are deleted, the space they occupied becomes free space—meaning it can be used for new files that are saved or files that expand as data is added to them. • The files that were deleted are still on the disk until a new file is saved to the same physical location, overwriting the original file. In the meantime, those files can still be retrieved. Forensics tools such as Autopsy can retrieve deleted files for use as evidence
  • 27. The next step is analyzing the data and searching for information related to the complaint. Data analysis can be the most time-consuming task, even when you know exactly what to look for in the evidence. The method for locating evidentiary artifacts is to search for specific known data values. Data values can be unique words or nonprintable characters, such as hexadecimal codes. There are also printable character codes that can’t be generated from a keyboard, such as the copyright (©) or registered trademark (™) symbols. Many digital forensics programs can search for character strings (letters and numbers) and hexadecimal values, such as 0xA9 for the copyright symbol or 0xAE for the registered trademark symbol. All these searchable data values are referred to as “keywords.”
  • 28. Completing the Case After analyzing the disk, you can retrieve deleted files, e-mail, and items that have been purposefully hidden, The files on George’s USB drive indicate that he was conducting a side business on his company computer. Now that you have retrieved and analyzed the evidence, you need to find the answers to the following questions to write the final report: • How did George’s manager acquire the disk? • Did George perform the work on a laptop, which is his own property? If so, did he conduct business transactions on his break or during his lunch hour? • At what times of the day was George using the non-work-related files? How did you retrieve this information? • Which company policies apply? • Are there any other items that need to be considered?
  • 29. • When you write your report, state what you did and what you found. The report you generate with a forensics tool gives an account of the steps you took. As part of your final report, depending on guidance from management or legal counsel, include this report file to document your work. In any digital investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as repeatable findings without it, your work product has no value as evidence.
  • 30. Critiquing the Case After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and critique the case in an effort to improve your work. Ask yourself assessment questions such as the following: • How could you improve your performance in the case? • Did you expect the results you found? Did the case develop in ways you did not expect? • Was the documentation as thorough as it could have been? • What feedback has been received from the requesting source? • Did you discover any new problems? If so, what are they? • Did you use new techniques during the case or during research? Make notes to yourself in your journal about techniques or processes that might need to be changed or addressed in future investigations. Then store your journal in a secure place.