Modules1.pdf

LEARNING OBJECTIVES(LO) The learning objectives of this module are to: ¥ LO#01: Understand the Fundamentals of Computer Forensics ¥ LO#02: Understand Cybercrimes and their Investigation Procedures LO#03: Understand Digital Evidence and eDiscovery A LO#04: Understand Forensic Readiness N LO#05: Understand the Role of Various Processes and Technologies in Computer Forensics NAN LO#06: Identify the Roles and Responsibilities of a Forensic Investigator A LO#07: Understand the Challenges Faced in Investigating Cyber Crimes X ©* LO#08: Understand Various Standards and Best Practices Related to Computer Forensics LO#09: Understand Laws and Legal Compliance in Computer Forensics a» Understanding Computer Forensics ¢ “ Computer forensics refer to a set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, such that any discovered evidence is acceptable during a legal and/or administrative proceeding Objectives: To track and prosecute the perpetrators of a cyber crime To gather evidence of cyber crimes in a forensically sound manner To estimate the potential impact caused by the incident on the victim and determine the intent of the perpetrator To minimize the tangible and intangible losses to the organization To protect the organization from similar incidents in the future Scope of Computer Forensics C : HFI “ Computer forensics has a wide scope in investigating, analyzing, and extracting data from the digital evidence acquired from the crime scenes Some of the important areas the computer forensics has huge scope Digital Crime Investigations Malware Analysis Computer forensic techniques used to identify the culprit by Used to analyze the malware-infected systems and to analyzing the digital evidence examine the malware samples to determine their behavior Incident Response Corporate Investigations Used to analyze cyberattacks to determine the root cause of Helps organizations to investigate cyberattacks and helps in the incident resolving them eDiscovery Collaboration with Law Enforcement Agencies Used to identify, collect, preserve, and analyze digital evidence Supports organizations in collaborating with the law in support to regulatory compliance and litigations enforcement agencies during the prosecution and building Nindow: a25 LO#02: Understand Cybercrimes and their Investigation Procedures @ Types of Cybercrimes © Examples of Cybercrimes @ Cyber Attribution ® Cybercrime investigation © Civil vs. Criminal Investigation © Administrative Investigation Types of Cybercrimes | Cybercrime is defined as any illegal act involving a computing device, network, its systems, or its applications Cybercrime can be categorized into two types based on the line of attack: Internal/Insider Attack External Attack ® Performed on a corporate network or on a single ® Occurs when an attacker from outside the computer by an entrusted person (insider) who organization tries to gain unauthorized access to has authorized access to the network their computing systems or informational assets ®@ Such insiders can be former or current employees, @ The attackers exploit security loopholes or use business partners, or contractors social engineering techniques to infiltrate the network Examples of Cybercrimes , = tower» — ISVESTHLA Toe | Espionage Phishing/Spoofing ms Theft of Intellectual Property Privilege Escalation Attack Manipulation of Data Denial-of-Service Attack Trojans Horse Attack Cyber Defamation SQL Injection Attack 11 Cyberterrorism Brute-force Attack Cyberwarfare ia] a" Cyber Attribution ¢ : @ Cyber attribution is a process of technical methods and organizational measures for discovering, tracing, and inculpate the responsible individual or groups for cyberattacks or malicious campaigns @ Organizations conducts investigations to attribute the cyberattack to an attacker and get a complete procedural frame of attack for bringing them in front of justice Use various forensic analysis tools, recovery tools, scripts, or applications to obtain a relevant and important information about a cyberattack Cyber Attribution mg Analyze technical indications such as malicious code, command and control infrastructure, digital signatures, and network traffic patterns 3 Understand the past attacks and their motivations to analyze the behavior of threat 7 actors and to build threat actor profiles for attribution Cybercrime Investigation “O Zz fe= = © The investigation of any crime involves the meticulous collection of clues and forensic evidence with attention to detail © Inevitably, at least one electronic device will be found during the investigation, such as a computer, a mobile device, a printer, CUM SS or an |oT/OT device ee EE The electronic device acquired from the crime scene might contain valuable evidence and play a major role in solving the case L hc el Therefore, the information contained in the device must be investigated in a forensically sound manner in order to be SS accepted by the court of law SSS The different types of approaches to manage cybercrime investigation include civil, criminal, and administrative Processes such as collection of data, analysis, and presentation differ based on the type of case Civil vs. Criminal Investigation © Civil cases are brought for violation of contracts and lawsuits, where a guilty outcome generally results in monetary damages to the plaintiff, whereas criminal cases are generally brought by law enforcement agencies in response to a suspected violation of law, where a guilty outcome may result in monetary damages, imprisonment, or both Criminal Cases Civil Cases Investigators must follow a set of standard forensic Investigators try to show the opposite party some proof processes accepted by law in the respective jurisdiction to support the claims and induce settlement @ Investigators, under a court’s warrant, have the authority Searching of the devices is generally based on mutual to forcibly seize computing devices understanding @ A formal investigation report is required The initial reporting of the evidence is generally informal Law enforcement agencies are responsible for collecting and analyzing evidence The claimant is responsible for the collection and analysis of the evidence ® Punishments are harsh and include a fine, jail sentence, or both Punishments include monetary compensation Administrative Investigation @ Administrative investigation refers to an internal investigation by an organization or government agency to discover if their employees, clients, and partners are complying with the rules or policies © Administrative investigations are non-criminal in nature and are related to misconduct or activities of an employee that include, but are not limited to: ® Violation of organization’s policies, rules, or protocols O © ® Violation of regulatory or legal requirements ® Resource misuse or damage or theft ® Threatening or violent behavior ®@ Improper promotion or pay raises & Any violation may result in disciplinary action such as demotion, suspension, revocation, penalties, and dismissal @ The investigations are carried out by internal teams such as compliance department, human resources, and internal LO#03: Understand Digital Evidence and eDiscovery @ Introduction to Digital Evidence ®@ The ACPO Principles of Digital Evidence @ Types of Digital Evidence ® Computer Forensics vs. eDiscovery @ Roles of Digital Evidence @ Legal and IT Team Considerations for @ Sources of Potential Evidence = @ Rules of Evidence @ Best Practices for Handling Digi @ Best Evidence Rule ® Federal Rules of Evidence (United States) Introduction to Digital Evidence ¢ =x — Leet Digital evidence refers to any electronic data or information that can be collected and used in legal proceedings to support or prove a case | Digital evidence includes information that is either stored or transmitted in digital form and has probative Z value Digital information may be found while examining digital storage media, monitoring the network traffic, or

Related

Transcript

Tags

Upgrade to continue