Week 13

Questions and Answers

When interacting with law enforcement, which agency handles computer crimes categorized as felonies?

State police

FBI (correct)

Cybercrime unit

Local sheriff's department

What is a disadvantage of involving law enforcement in an incident?

Faster resolution due to skilled investigators

Increased organizational assets

Gaining control of the chain of events

Loss of control of the chain of events (correct)

What is the nature of the U.S. legal system?

Cooperative

Adversarial (correct)

Inquisitorial

Investigative

What is the primary role of the first response team in digital forensics?

Assessing the location and collecting evidence

Why might an organization not involve law enforcement in an incident?

To reprimand or dismiss an employee

What is the purpose of challenging methods used in collecting evidence?

To ensure all parties follow the rules

What is the primary role of the analysis and presentation team in digital forensics?

Analyzing collected information

What is the primary responsibility of a digital forensics team?

Translating a real-world problem into questions to be answered by digital forensic analysis

What is a crucial factor to consider when deciding whether to employ an in-house investigatory team or outsource?

Available resources

What is the main purpose of a forensic field kit?

To provide portable equipment and tools needed for an investigation

Why is it important to always keep the equipment in a forensic field kit ready to respond?

So that it is always available in case of an emergency

What type of software or hardware might be included in a forensic field kit?

Imaging software or hardware

What is a potential drawback of outsourcing investigative services to a consultant?

They may have access to highly sensitive information

What might be included in a call list in a forensic field kit?

Contact information for subject matter experts

What is the primary responsibility of the incident manager during the collection of evidence?

Identifying sources of relevant information and producing photographic documentation

What is the purpose of the image hash information being documented in the record?

To preserve the integrity of the digital evidence

What is the primary goal of the incident manager when prioritizing collected evidence?

To prioritize evidence based on value, volatility, and effort required

What is the role of the scribe or recorder during the collection of evidence?

Produces written records of the team's activities and maintains control of the field evidence log and locker

What is the primary responsibility of the analysis team?

Analyzing and interpreting digital evidence

What is the purpose of creating forensic reports?

To present the investigation's findings to the judge and jury

What is the role of the imager during the collection of evidence?

Collects copies or images of digital evidence

What is the purpose of using analogies when presenting findings to the judge and jury?

To simplify complex technical information

What is the primary purpose of documenting the scene in a digital investigation?

To preserve the evidence

What is the purpose of using photographic markers and scales in digital photography?

To provide a reference point for measurement

What is included in a forensic field kit to store and label evidence?

Evidence bags, seals, and permanent markers

What is the first step in a digital investigation?

Authorization to begin investigation

What is the purpose of sterilizing the media card in a digital camera?

To delete existing content

Why is it important to set the camera's clock to ensure accurate recorded dates and times?

To create a timeline of events

What is the purpose of taking a 'begin digital photography' marker?

To make the media self-documenting

What is the role of interviewing key contacts during the assessment process?

To gather information about the incident

What is a potential consequence of using live response tools in digital forensics?

It renders hard drive information inadmissible in a legal proceeding.

What is the primary function of the Windows Forensic Toolchest (WFT)?

To identify and list running processes, active network connections, and other activity.

What type of devices are often used with dead acquisition in digital forensics?

Computer disks, thumb drives, and memory cards.

What is the purpose of using a Faraday Cage when acquiring evidence from a PDA or cellular phone?

To block wireless access to the device.

What type of files are included in a forensic image of a disk or device?

Active files and directories, and deleted files and file fragments.

What is the main advantage of using live acquisition in digital forensics?

It is used with devices that cannot be turned off.

What is the purpose of integrity checks in digital forensics?

To verify the integrity of the evidence.

What is a situation where live acquisition would be required in digital forensics?

When investigating a running server.

Study Notes

Interacting with Law Enforcement

• Must notify authorities when incident violates civil or criminal law
• Appropriate agency depends on type of crime (e.g., FBI handles computer crimes categorized as felonies)
• State, county, and city law enforcement agencies are better equipped for processing evidence than business organizations
• Involving law enforcement can result in loss of control, long delays, and removal of organizational assets as evidence
• Involving law enforcement is unnecessary if the organization simply wants to reprimand or dismiss an employee

Adversarial Legal System

• U.S. legal system is adversarial in nature, where parties attempt to prove their own views are correct
• Everything is open to challenge by opposing counsel
• Methods used in collecting evidence will be challenged to ensure all parties "follow the rules"

Digital Forensics Team

• A team of experts responsible for translating a real-world problem into questions to be answered by digital forensic analysis
• Consists of a first response team and an analysis and presentation team
• First response team assesses the location, identifies sources of relevant digital evidence, and collects and preserves evidence
• Analysis and presentation team analyzes collected information to identify material facts relevant to the investigation

First Response Team

• Size and makeup of team vary based on organization size
• Roles and duties include:
  • Incident manager: identifies sources of relevant information, produces photographic documentation, and prioritizes collected evidence
  • Scribe or recorder: produces written record of team's activities, maintains control of field evidence log and locker
  • Imager: collects copies or images of digital evidence

Analysis Team

• Performs analysis of collected information to identify material facts relevant to the investigation
• Tasks include:
  • Recovering deleted files
  • Reassembling file fragments
  • Interpreting operating system artifacts
• Larger organizations may divide functions into forensic examiner, forensic analyst, and subject matter expert roles
• Present findings in a clear, easily understood manner, often using analogies to communicate complex technical details

Dedicated Team or Outsource?

• Factors affecting the decision to employ an in-house investigatory team or outsource include:
  • Size and nature of the organization
  • Available resources
  • Cost (tools, hardware, staffing, and training)
  • Response time (outside consultant needs time to get up to speed)
  • Data sensitivity (outside consultant may have access to highly sensitive information)

Forensic Field Kit

• A prepacked field kit containing portable equipment and tools needed for an investigation
• Equipment in the kit should never be borrowed and should always be ready to respond
• Example contents include:
  • Dedicated laptops with multiple operating systems
  • Call list with subject matter experts
  • Mobile phones with extra batteries and chargers
  • Hard drives, blank CDs, DVDs, and thumb drives
  • Imaging software or hardware
  • Forensic software and tools for data collection and analysis
  • Ethernet tap to sniff network traffic
  • Cables, extension cords, power strips, and other equipment

Digital Forensics Methodology

• Digital investigation begins with an allegation of wrongdoing
• Authorization is sought to begin investigation (public sector: search warrant; private sector: affidavit or organization's policy)
• Assessment of the scene and documentation of its state
• Typical tools used include photography and field notes
• Photographic evidence plays a major role in documenting evidence
• Digital camera best practices include sterilizing the media card, setting the camera's clock, and taking the first exposure of a "begin digital photography" marker

Acquiring the Evidence

• Live acquisition: using a trusted set of CD-based tools or stand-alone tools that modify the state of the system
• Windows Forensic Toolchest (WFT) is an example of a live acquisition tool
• Dead acquisition: obtaining a forensic image of a disk or device, including active files and directories, and deleted files and file fragments

Description

Learn about the processes and procedures for interacting with law enforcement agencies, including notification and evidence handling. Understand the roles of different agencies and their capabilities.