Digital Forensics Chapter 2 PDF

Summary

This document provides an overview of digital forensics, including learning objectives, process phases, lab setup, and workstation building. It covers topics such as computer forensic tools, and investigation team roles. The content focuses on the practical aspects of handling evidence and investigation.

Full Transcript

Digital Forensics Chapter 2 Learning Objectives Computer Forensics: After Successfully completing this chapter, you will be able to : 1. Understand the importance of computer forensics process. 2.Describe the various phases of the computer forensic investigation p...

Digital Forensics Chapter 2 Learning Objectives Computer Forensics: After Successfully completing this chapter, you will be able to : 1. Understand the importance of computer forensics process. 2.Describe the various phases of the computer forensic investigation process. 3. Identify the requirements for building a computer forensics lab and an investigation team. 4. Understand the roles of a First Responder. 5.Perform search and seizure, evidence collection, management and preservation. 6. Discuss about data duplication, deleted data recovery and evidence examination. 7. Write an investigation report. Computer Forensics Process Phases Computer Forensics Process Phases Pre-investigation Phase: Setting up a computer forensics lab(CFL), toolkit, and workstation The investigation team and getting approval ‫ الموافقة‬from the relevant authority Planning the process, defining mission goals, and securing the case perimeter and devices involved. Investigation Phase: Acquisition, preservation, and analysis of the data to identify the source of crime and the criminal. Implementing the technical knowledge to find evidence, examine, document, and preserve. Computer Forensics Process Phases Computer Forensics Process Phases Post-investigation Phase: Ensure that the target audience ‫الجمهور‬can easily understand the report Ensure report provides sufficient and acceptable evidence. Report should comply with all local laws and standards It should be legally sound ‫قانونيا‬ ً ً and acceptable in the court of ‫سليما‬ law. Setting up a Computer Forensics Lab A Computer Forensics Lab (CFL) is a location designated for conducting ‫ إلجراء‬computer –based investigation about the collected evidence. The lab includes tools, software and hardware tools, suspect media, and forensics workstations required to conduct the investigation. Setting up a Computer Forensics Lab Building Forensics Workstation The Computer Forensics approach should be clearly defined before building the forensics workstation. The computer forensics workstation should have facilities and tools to : 1. Support hardware-based replication ‫ النسخ المتماثل‬of local and remote network drives. 2. Validate the image and file's integrity 3. Identify the date and time when the files have been modified, accessed, or created. 4. Identify the deleted files. 5. Support the removable media. 6. Isolate and analyze free drive space. Build Computer Forensics Toolkit Computer forensics tools can be divided into two types : Computer Forensics hardware FRED Forensic Workstations FRED systems set the standard for forensic acquisition and analysis workstations. Digital Forensics Chapter 2 Build Investigation Team Computer Forensics Investigation Process Methodology Computer Forensics Investigation Process Methodology Get authorization to conduct the investigation, from an authorized decision maker. Document all the events and decisions at the time of the incident and incident response. Depending on the scope of the incident and presence of any national security issues or life safety issues, the first priority is to protect the organization from further harm. Computer Forensics Investigation Process Methodology Follow the Computer Forensics Investigation Methodology: First Response Search and Seizure Collect the Evidence Secure the Evidence Data Acquisition Data Analysis Evidence Assessment Documentation and Reporting Testify as an Expert Witness Documentation Documentation of the electronic crime scene is process continuous during the investigation, making a permanent record of the scene. It includes photographing and sketching of the scene. If the evidence gathered by the CFP suggests that the suspect has committed a crime, he or she will produce that evidence in court. If the evidence suggests that the suspect has breached company policy, The CFP will turn over evidence in the company investigation. If the suspect is present at the time of the search and seizure, the incident manager or the lab manager may consider asking some questions. Exercise 1 Scenario 1 Dealing with Powered off Computers Scenario 1 Dealing with Powered off Computers At this point of the investigation, do not change the state of any electronic devices or equipment: If it is switched OFF, leave it OFF If a monitor is switched OFF and the display is blank: Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes and photograph the screen. If a monitor is switched ON and the display is blank Move the mouse slightly. If the screen does not change, do not perform any other keystroke. Photography the screen. Exercise 2 Scenario 2 Dealing with networked computers Scenario 2 Dealing with networked computers If the victim's computer has an Internet connection, the first responder must follow the following procedure to protect the evidence: Unplug the network cable from the router and modem internet can make it vulnerable to further attack. Don't use the PC for evidence search because it may alter or change the integrity of the existing evidence. Unplug all the cables and devices connected to the computer and label them for later identification. Unplug the main power cable from the wall socket. Pack the collected electronic evidence properly and place it in a static-free bag. Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence. Document the steps that involved in searching and seizing the victim's computer for later investigation SUMMARY Computer Forensics: 1. Understand the importance of computer forensics process. 2. Describe the various phases of the computer forensic investigation process. 3. Identify the requirements for building a computer forensics lab and an investigation team. 4. Understand the roles of a First Responder. 5. Perform search and seizure, evidence collection, management and preservation. 6. Understand chain of custody and its importance. 7. Discuss about data duplication, deleted data recovery and evidence examination. 8. Write an investigation report.

Use Quizgecko on...
Browser
Browser