Media Leak Investigations Guidelines

Remote Network Acquisition Tools

• RAFT (Remote Acquisition Forensic Tool) is a tool that facilitates forensic investigators in gathering digital evidence remotely.
• It operates through a secure, verifiable client/server imaging architecture, ensuring the integrity of acquired data.

Baseline Approach for Remote Evidence Collection

• During the COVID-19 pandemic, travel restrictions accelerated the use of remote forensics.
• Control Risks recommends a baseline approach for remote evidence collection, including:
  • Electronic Evidence Assessment: understanding device inventory and gathering specifications.
  • Collection and Execution: preparing and deploying collection toolkits, coordinating with clients and custodians.
  • Verification: verifying evidence integrity after transferring data to the expert's facility.

Legacy Tools and Custom Solutions

• Legacy tools like EnCase and specialized remote acquisition tools like F-Response are widely used.
• Choosing the right tool is essential for efficient and effective remote data collection.

Belkasoft Evidence Center (BEC)

• BEC allows straightforward remote device image acquisition through deploying an agent to the remote computer and acquiring an image of the PC.

Secure Storage Environment

• Physical Security: storing evidence in a secure location with restricted access.
• Temperature and Humidity Control: avoiding extreme conditions that could damage storage media.
• Backup and Redundancy: creating backups to prevent data loss due to hardware failure.

Hash Functions in Digital Forensics

• Case Study 1: Identifying Malware - using hash functions to identify malware by comparing hash values against a database of known malware hashes.
• Case Study 2: Verifying Integrity of Evidence - using hash functions to verify the integrity of evidence in a high-profile court case.

Processing Crime and Incident Scenes

• Understanding Digital Evidence:
  • Definition: digital evidence encompasses any information stored or transmitted in digital form.
  • Legal Recognition: U.S. courts accept digital evidence as physical evidence, treating digital data as tangible objects.
• General Investigator Tasks:
  • Identification: identifying digital artifacts that can serve as evidence.
  • Collection and Preservation: properly collecting, preserving, and documenting evidence.
  • Analysis and Organization: analyzing and organizing the evidence.
  • Verification: repeating a situation to verify reproducibility ensures reliable results.

Media Leak Investigations

• Guidelines for media leak investigations:
  • Examine e-mail, both organization's e-mail servers and private e-mail accounts.
  • Examine Internet message boards and search the Internet for any information about the company or product.
  • Examine proxy server logs to check for log activities.
  • Track back to specific workstations where messages originated and perform a forensic analysis on the drives.
  • Examine known suspects' workstations, perform computer forensics examinations, and develop other leads on possible associates.
  • Examine all company phone records for any calls to known media organizations.

Email Forensics Tools

• MailXaminer:
  • Comprehensive email forensics software used by professionals worldwide.
  • Analyze email headers, search for specific keywords, recover deleted emails, and extract email artifacts.
• 4n6 Email Forensics Wizard:
  • Specifically designed for email analysis and recovery.
  • Recovers deleted emails, extracts attachments, parses multiple email file formats, and analyzes email artifacts.
• Aid4Mail Forensic:
  • Known for powerful email conversion capabilities.
  • Supports various email formats, converts and analyzes emails from different sources.
• MailPro+:
  • Aids in email forensics and analysis.
  • Parses email files, extracts metadata, and assists in uncovering evidence.
• Sintelix:
  • Offers advanced capabilities for email forensics.
  • Supports email analysis, extracts relevant data, and assists in establishing facts.