Lecture_1 2.pdf

Full Transcript

Computer Forensics

Chapter 1
Computer Forensics and Investigations
as a Profession
Objectives

 Define computer forensics
 Describe how to prepare for computer investigations and
explain the difference between law enforcement agency
and corporate investigations
 Explain the importance of maintaining professional
conduct
Understanding Computer Forensics
 Computer forensics
 Involves obtaining and analyzing digital information
 As evidence in civil, criminal, or administrative cases
 Computer Forensics Versus Other
Related Disciplines
 Computer forensics
 Investigates data that can be retrieved from a computer’s
hard disk or other storage media
 Network forensics
 Yields information about how a perpetrator or an attacker
gained access to a network
 Data recovery
 Recovering information that was deleted by mistake
 Or lost during a power surge or server crash
 Typically you know what you’re looking for
Computer Forensics Versus Other
Related Disciplines (continued)
 Computer forensics
 Task of recovering data that users have hidden or deleted
and using it as evidence
 Evidence can be inculpatory (“incriminating”) or
exculpatory
 Disaster recovery
 Uses computer forensics techniques to retrieve information
their clients have lost
 Investigators often work as a team to make computers
and networks secure in an organization
Public and
Private
Investigations
Preparing for Computer Investigations
 Computer investigations and forensics falls into two
distinct categories
 Public investigations
 Private or corporate investigations
 Public investigations
 Involve government agencies responsible for criminal
investigations and prosecution
 Organizations must observe legal guidelines
 Law of search and seizure
 Protects rights of all people, including suspects
Law Enforcement
Agency Investigations
Understanding Law Enforcement Agency
Investigations
 In a criminal case, a suspect is tried for a criminal
offense
 Such as burglary, murder, or molestation
 Computers and networks are sometimes only tools that
can be used to commit crimes
 Many states have added specific language to criminal codes
to define crimes involving computers, such as theft of
computer data
 Following the legal process
 Legal processes depend on local custom, legislative
standards, and rules of evidence
Understanding Law Enforcement Agency
Investigations (continued)
 Following the legal process (continued)
 Criminal case follows three stages
 The complaint, the investigation, and the prosecution
Understanding Law Enforcement Agency
Investigations (continued)
 Following the legal process (continued)
 A criminal case begins when someone finds evidence of an
illegal act
 Complainant makes an allegation, an accusation or
supposition of fact
 A police officer interviews the complainant and writes a
report about the crime
 Police blotter provides a record of clues to crimes that
have been committed previously
 Investigators delegate, collect, and process the information
related to the complaint
Corporate
Investigations
 Understanding Corporate Investigations

 Private or corporate investigations
 Involve private companies and lawyers who address company
policy violations and litigation disputes
 Corporate computer crimes can involve:
 E-mail harassment
 Falsification of data
 Gender and age discrimination
 Embezzlement
 Sabotage
 Industrial espionage
 Understanding Corporate Investigations
(continued)

 Establishing company policies
 One way to avoid litigation is to publish and maintain policies
that employees find easy to read and follow
 Published company policies provide a line of authority
 For a business to conduct internal investigations
 Well-defined policies
 Give computer investigators and forensic examiners the
authority to conduct an investigation
 Displaying Warning Banners
 Another way to avoid litigation
 Understanding Corporate Investigations
(continued)

 Displaying Warning Banners (continued)
 Warning banner
 Usually appears when a computer starts or connects to the
company intranet, network, or virtual private network
 Informs end users that the organization reserves the right to
inspect computer systems and network traffic at will
 Establishes the right to conduct an investigation
 Removes expectation of privacy
 As a corporate computer investigator
 Make sure company displays well-defined warning banner
Understanding Corporate Investigations
(continued)
 Understanding Corporate Investigations
(continued)

 Designating an authorized requester
 Authorized requester has the power to conduct
investigations
 Policy should be defined by executive management
 Groups that should have direct authority to request computer
investigations
 Corporate Security Investigations
 Corporate Ethics Office
 Corporate Equal Employment Opportunity Office
 Internal Auditing
 The general counsel or Legal Department
 Understanding Corporate Investigations
(continued)

 Conducting security investigations
 Types of situations
 Abuse or misuse of corporate assets
 E-mail abuse
 Internet abuse
 Be sure to distinguish between a company’s abuse problems
and potential criminal problems
 Corporations often follow the silver-platter doctrine
 What happens when a civilian or corporate investigative
agent delivers evidence to a law enforcement officer
 Understanding Corporate Investigations
(continued)

 Distinguishing personal and company property
 Many company policies distinguish between personal and
company computer property
 One area that’s difficult to distinguish involves PDAs, cell
phones, and personal notebook computers
 The safe policy is to not allow any personally owned devices
to be connected to company-owned resources
 Limiting the possibility of commingling personal and
company data
Professional
Conduct
 Maintaining Professional Conduct

 Professional conduct
 Determines your credibility
 Includes ethics, morals, and standards of behavior
 Maintaining objectivity means you must form and sustain
unbiased opinions of your cases
 Maintain an investigation’s credibility by keeping the case
confidential
 In the corporate environment, confidentiality is critical
 In rare instances, your corporate case might become a
criminal case as serious as murder