CSF 3403 - WK3

Questions and Answers

What is the role of a digital forensics investigator?

• gather evidence
• conduct investigation by processing digital evidence
• preserve evidence on a different computer
• prove a suspect has committed a crime/violated company policy
• summarize findings in a report
• present findings when required (to the prosecutor, in a court, to a company executive...)

What is a "Chain of Custody"?

Route the evidence takes from the time you find it until the case is closed or goes to court

What happens if you don’t know (or cannot establish) who took a suspect hard disk from the crime scene to the lab?

• the chain of custody is broken
• the disk may have been tampered with
• the evidence's integrity is compromised

What does the information contained by computers help law enforcement determine?

• Chain of events leading to a crime
• Evidence that can lead to a conviction

Digital evidence can be _______ ___________ by an overeager investigator

easily altered

Law enforcement officers should ______ ______ _________ when acquiring the evidence

follow proper procedure

information on hard disks might be password protected so _________ _____ may need to be used in your investigation

forensics tools

What are some examples of employee misuse of company resources?

• Surfing the Internet
• Sending personal e-mails
• Using company computers for personal tasks during work hours

What are the steps to taking a systematic approach to problem solving?

• Make an initial assessment about the type of case you are investigating
• Determine a preliminary design or approach to the case
• Create a detailed checklist
• Determine the resources you need
• Obtain and copy an evidence drive
• Identify the risks
• Mitigate or minimize the risks
• Test the design
• Analyze and recover the digital evidence
• Investigate the data you recover
• Complete the case report
• Critique the case

How can you determine the case requirements?

by systematically outlining the case details:

• Situation
• Nature of the case
• Specifics of the case
• Type of evidence
• Known disk format
• Location of evidence

What activities should a basic investigation plan include?

• Acquiring the evidence
• Completing an evidence form and establishing a chain of custody
• Transporting the evidence to a computer forensics lab
• Securing evidence in an approved secure container
• Preparing your forensics workstation
• Retrieving the evidence from the secure container
• Making a forensic copy of the evidence
• Returning the evidence to the secure container
• Processing the copied evidence with computer forensics tools

What is the purpose of an evidence of custody/chain-of-evidence form?

it helps you document what has been done with the original evidence and its forensics copies

What are the two types of evidence of custody forms?

• single evidence form (Lists each piece of evidence on a separate page)
• multi-evidence form

Why is documenting evidence during a forensics analysis very important?

a broken chain of custody can throw out your case

What is the multi-evidence form good for and what does it contain?

• good for max. 10 items
• has the name of the investigator who recovered the evidence
• specifies the locker used
• lists which investigators retrieved the evidence from the locker to process it
• lists what has been done with the evidence

Describe a single-evidence form.

• has more flexibility in tracking separate pieces of evidence for your chain-of-custody log
• has more space for descriptions to help finalize the investigation and create a case report
• allows one to accurately account for what was done to the evidence and what was found
• can be used as a reference for all actions taken during the investigative analysis

How can you secure your evidence?

• Use evidence bags to secure and catalog the evidence
• Use computer safe products when collecting computer evidence( antistatic bags and pads)
• Use well padded containers
• Use evidence tape to seal all openings (CD drive bays, insertion slots for power supply electrical cords and USB cables)
• Write your initials on tape to prove that evidence has not been tampered with
• Consider computer specific temperature and humidity ranges (Make sure you have a safe environment for transporting and storing it until a secure evidence container is available)

When dealing with private-sector high-tech investigations procedures, what should you develop?

formal procedures and informal checklists to cover all issues important to high-tech investigations, Such as:

• employee termination cases
• internet abuse cases
• email abuse cases
• Attorney-Client Privilege Investigations
• Industrial espionage Cases

What do the majority of investigative work for termination cases involve?

employee abuse of corporate assets

What are the predominant types of employee termination cases investigated?

Incidents that create a hostile work environment (viewing porn in the workplace, sending inappropriate emails).

What do you need to prepare to conduct an internet abuse investigation?

• Organization’s Internet proxy server logs
• Suspect computer’s IP address
• Suspect computer’s disk drive
• Your preferred computer forensics analysis tool

What steps outline outline the recommended processing of an Internet abuse case?

• Use the standard forensic analysis techniques and procedures
• Use tools for Internet keyword search option to extract all Web page URL information
• Contact the network firewall administrator and request a proxy server log
• Compare the data recovered from forensic analysis to the proxy server log data to confirm that they match
• Continue analyzing the computer’s disk drive data

Step 4 of processing an internet abuse case: Compare the data recovered from forensic analysis to the proxy server log data to confirm that they match. What should you do if the URL data matches the proxy server log and the forensic disk examination?

continue analyzing the suspect computer’s drive data, and collect any relevant downloaded inappropriate pictures or Web pages that support the allegation.

Step 4 of processing an internet abuse case: Compare the data recovered from forensic analysis to the proxy server log data to confirm that they match. What should you do if there are no matches between the proxy server logs, and the forensic examination shows no contributing evidence?

report that the allegation is unsubstantiated

What do you need to prepare to conduct an email abuse investigation?

• An electronic copy of the offending e-mail that contains message header data
• If available, e-mail server log records
• For e-mail systems that store users’ messages on a central server, access to the server
• Access to the computer so that you can perform a forensic analysis on it
• Your preferred computer forensics analysis tool

What steps outline the recommended processing of an E-mail abuse case?

• For computer-based e-mail data files: use the standard forensic analysis techniques and procedures
• For server-based e-mail data files: contact the e-mail server administrator and obtain an electronic copy of the suspect and victim’s e-mail folder or data.
• For Web-based e-mail investigations: such as Hotmail or Gmail, use tools such as Forensic Toolkit’s Internet keyword search option to extract all related e-mail address information.
• Examine header data of all messages of interest to the investigation.

What things may lead to a media leak?

• disgruntled employees sending an organization's sensitive data to a news reporter
• employees attempting to embarrass management to a rival conducting a power struggle between other internal organizations
• premature release of information about new products, which can disrupt operations and cause market share loss for a business if the information is made public too soon

What do you need to consider to conduct a media leak investigation?

• Examine e-mail
• Examine Internet message boards
• Examine proxy server logs
• Examine known suspects’ workstations
• Examine all company telephone records

What steps outline the recommended processing of Media Leaks?

1. Interview management privately to get a list of employees who have direct knowledge of the sensitive data.
2. Identify the media source that published the information.
3. Review company phone records to see who might have had contact with the news service.
4. Obtain a list of keywords related to the media leak.
5. Perform keyword searches on proxy and e-mail servers.
6. Discreetly conduct forensic disk acquisitions and analysis of employees of interest.
7. From the forensic disk examinations, analyze all e-mail correspondence and trace any sensitive messages to other people who haven't been listed as having direct knowledge of the sensitive data.
8. Expand the discreet forensic disk acquisition and analysis for any new persons of interest.
9. Consolidate and review your findings periodically to see whether new clues can be discovered.
10. Report findings to management routinely, and discuss how much further to continue

All suspected industrial espionage cases should be treated as ________ ______________

criminal investigations

What kind of staff do you need to conduct industrial espionage investigations?

• Digital investigator who is responsible for disk forensic examinations
• Technology specialist who is knowledgeable of the suspected compromised technical data
• Network specialist who can perform log analysis and set up network sniffers
• Threat assessment specialist (typically an attorney)

What guidelines should you follow when initiating industrial espionage cases?

• Determine whether this investigation involves a possible industrial espionage incident
• Consult with corporate attorneys and upper management
• Determine what information is needed to substantiate the allegation
• Generate a list of keywords for disk forensics and sniffer monitoring
• List and collect resources for the investigation
• Determine goal and scope of the investigation
• Initiate investigation after approval from management

What steps outline the recommended processing of an industrial espionage case?

• Gather all personnel assigned to the investigation and brief them on the plan and any concerns.
• Gather the resources needed to conduct the investigation.
• Start the investigation by placing surveillance systems, such as cameras and network monitors, at key locations
• Discreetly gather any additional evidence, such as the suspect's computer drive, and make a bit-stream image for follow-up examination
• Collect all log data from networks and e-mail servers, and examine them for unique items that might relate to the investigation
• Report regularly to management and corporate attorneys on your investigation's status and current findings
• Review the investigation's scope with management and corporate attorneys to deter mine whether it needs to be expanded and more resources added

What is the difference between an interview and an interrogation?

An interview is usually conducted to collect information from a witness or suspect, while an interrogation is the process of trying to get a suspect to confess.

What is the role of a digital investigator in an interview?

to instruct the investigator conducting the interview on what questions to ask and what the answers should be.

What are the ingredients to a successful interview or interrogation?

• Being patient throughout the session
• Repeating or rephrasing questions to zero in on specific facts from a reluctant witness or suspect
• Being tenacious