Guide to Computer Forensics and Investigations PDF

Guide to Computer Forensics and Investigations Sixth Edition Chapter 1 Understanding The Digital Forensics Profession and Investigations 1 Objectives Describe the field of digital forensics Explain how to prepare computer investigations and summarize the difference between public-sector and private-sector investigations Explain the importance of maintaining professional conduct Describe how to prepare a digital forensics investigation by taking a systematic approach Describe procedures for private-sector digital investigations Explain requirements for data recovery workstations and software Summarize how to conduct an investigation, including critiquing a case © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 2 classroom use. Computer Forensics Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. Is the term Cyber Forensics more appropriate these days? 3 Digital Evidence Digital Evidence are collected from: Networks (Network Forensics) Small Scale Digital Devices Storage Media (Computer forensics) Code Analysis Messages Forensics 4 Computer Forensic Activities Computer forensics activities commonly include: the secure collection of computer data the identification of suspect data Imaging/acquisition the examination of suspect data to determine details such as origin and content the presentation of computer-based information to courts of law the application of a country's laws to computer practice. 5 Digital Forensics and Other Related Disciplines Investigating digital devices includes: Collecting data securely Examining suspect data to determine details such as origin and content Presenting digital information to courts Applying laws to digital device practices Digital forensics is different from data recovery Which involves retrieving information that was deleted by mistake or lost during a power surge or server crash Forensics investigators often work as part of a team, known as the investigations triad © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 6 classroom use. The 3 As The basic methodology consists of the 3 As: Acquire the evidence without altering or damaging the original Authenticate the image Analyze the data without modifying it 7 Understanding Case Law Existing laws can’t keep up with the rate of technological change When statutes don’t exist, case law is used Allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws Examiners must be familiar with recent court rulings on search and seizure in the electronic environment UAE cyber crime laws: 2006, 2009, and 2012, 2016 (Arabic & English scripts) 8 Guide to Computer Forensics and Investigations Fifth Edition Understanding Law Enforcements Agency Investigations (continued) Following the legal process (continued) Criminal case follows three stages - The complaint, the investigation, and the prosecution 9 Guide to Computer Forensics and Investigations Following Legal Processes A criminal investigation usually begins when someone finds evidence of or witnesses a crime Witness or victim makes an allegation to the police Police interview the complainant and writes a report about the crime Report is processed and management decides to start an investigation or log the information in a police blotter Blotter is a historical database of previous crimes Affidavit - a sworn statement of support of facts about or evidence of a crime Must include exhibits that support the allegation 10 Guide to Computer Forensics and Investigations Fifth Edition Understanding Private-Sector Investigations Public-sector forensics investigation involve social and economic crimes that are against the law of the state or the country. For instance, threatening, blackmailing, pornography, harassment and murder. Public crimes are investigated by police in the light of the law of the land Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes Example: wrongful termination Businesses strive to minimize or eliminate litigation Private-sector crimes can involve: E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage 11 Guide to Computer Forensics and Investigations Fifth Edition Understanding Private-Sector Investigations Business can avoid litigation by displaying a warning banner on computer screens Informs end users that the organization reserves the right to inspect computer systems and network traffic at will 12 Guide to Computer Forensics and Investigations Fifth Edition Understanding Private-Sector Investigations Line of authority - states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence Businesses are advised to specify an authorized requester who has the power to initiate investigations Examples of groups with authority Corporate security investigations Corporate ethics office Corporate equal employment opportunity office Internal auditing The general counsel or legal department © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 13 classroom use. Understanding Private-Sector Investigations During private investigations, you search for evidence to support allegations of violations of a company’s rules or an attack on its assets Three types of situations are common: Abuse or misuse of computing assets E-mail abuse Internet abuse A private-sector investigator’s job is to minimize risk to the company © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 14 classroom use. Maintaining Professional Conduct Professional conduct - includes ethics, morals, and standards of behavior An investigator must exhibit the highest level of professional behavior at all times Maintain objectivity Maintain credibility by maintaining confidentiality Investigators should also attend training to stay current with the latest technical changes in computer hardware and software, networking, and forensic tools © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 15 classroom use. Preparing a Digital Forensics Investigation The role of digital forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect’s computer Preserve the evidence on a different computer Chain of custody Route the evidence takes from the time you find it until the case is closed or goes to court © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 16 classroom use. An Overview of a Computer Crime Computers can contain information that helps law enforcement determine: Chain of events leading to a crime Evidence that can lead to a conviction Law enforcement officers should follow proper procedure when acquiring the evidence Digital evidence can be easily altered by an overeager investigator A potential challenge: information on hard disks might be password protected so forensics tools may be need to be used in your investigation © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 17 classroom use. An Overview of a Company Policy Violation Employees misusing resources can cost companies millions of dollars Misuse includes: Surfing the Internet Sending personal e-mails Using company computers for personal tasks © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 18 classroom use. Taking a Systematic Approach Steps for problem solving Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach to the case Create a detailed checklist Determine the resources you need Obtain and copy an evidence drive © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 19 classroom use. Planning Your Investigation (1 of 5) A basic investigation plan should include the following activities: Acquire the evidence Complete an evidence form and establish a chain of custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 20 classroom use. Planning Your Investigation (2 of 5) A basic investigation plan (cont’d): Prepare your forensics workstation Retrieve the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 21 classroom use. Planning Your Investigation (3 of 5) An evidence custody form helps you document what has been done with the original evidence and its forensics copies Also called a chain-of-evidence form Two types Single-evidence form - Lists each piece of evidence on a separate page Multi-evidence form © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 22 classroom use. Planning Your Investigation (4 of 5) © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 23 classroom use. Planning Your Investigation (5 of 5) © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 24 classroom use. Securing Your Evidence (1 of 2) Use evidence bags to secure and catalog the evidence Use computer safe products when collecting computer evidence Antistatic bags Antistatic pads Use well padded containers Use evidence tape to seal all openings CD drive bays Insertion slots for power supply electrical cords and USB cables © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 25 classroom use. Employee Termination Cases The majority of investigative work for termination cases involves employee abuse of corporate assets Incidents that create a hostile work environment are the predominant types of cases investigated Viewing pornography in the workplace Sending inappropriate e-mails Organizations must have appropriate policies in place © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 26 classroom use. Internet Abuse Investigations (1 of 2) To conduct an investigation you need: Organization’s Internet proxy server logs Suspect computer’s IP address Suspect computer’s disk drive Your preferred computer forensics analysis tool © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 27 classroom use. Internet Abuse Investigations (2 of 2) Recommended steps Use standard forensic analysis techniques and procedures Use appropriate tools to extract all Web page URL information Contact the network firewall administrator and request a proxy server log Compare the data recovered from forensic analysis to the proxy server log Continue analyzing the computer’s disk drive data © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 28 classroom use. E-mail Abuse Investigations To conduct an investigation you need: An electronic copy of the offending e-mail that contains message header data If available, e-mail server log records For e-mail systems that store users’ messages on a central server, access to the server Access to the computer so that you can perform a forensic analysis on it Your preferred computer forensics analysis tool © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 29 classroom use. E-mail Abuse Investigations Recommended steps Use the standard forensic analysis techniques Obtain an electronic copy of the suspect’s and victim’s e-mail folder or data For Web-based e-mail investigations, use tools such as FTK’s Internet Keyword Search option to extract all related e-mail address information Examine header data of all messages of interest to the investigation © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 30 classroom use. Industrial Espionage Investigations Guidelines (cont’d) Determine goal and scope of the investigation Initiate investigation after approval from management Planning considerations Examine all e-mail of suspected employees Search Internet newsgroups or message boards Initiate physical surveillance Examine facility physical access logs for sensitive areas © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 31 classroom use. Interviews and Interrogations in High-Tech Investigations Becoming a skilled interviewer and interrogator can take many years of experience Interview Usually conducted to collect information from a witness or suspect - About specific facts related to an investigation Interrogation Process of trying to get a suspect to confess © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 32 classroom use. Understanding Data Recovery Workstations and Software Investigations are conducted on a computer forensics lab (or data-recovery lab) In data recovery, the customer or your company just wants the data back Computer forensics workstation A specially configured PC Loaded with additional bays and forensics software To avoid altering the evidence use: Write-blockers devices - Enable you to boot to Windows without writing data to the evidence drive © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 33 classroom use. Setting Up Your Workstation for Digital Forensics (1 of 2) Basic requirements A workstation running Windows 7 or later A write-blocker device Digital forensics acquisition tool Digital forensics analysis tool Target drive to receive the source or suspect disk data Spare PATA or SATA ports USB ports © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 34 classroom use. Setting Up your Workstation for Digital Forensics (2 of 2) Additional useful items Network interface card (NIC) Extra USB ports FireWire 400/800 ports SCSI card Disk editor tool Text editor tool Graphics viewer program Other specialized viewing tools © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 35 classroom use. Conducting an Investigation Gather resources identified in investigation plan Items needed Original storage media Evidence custody form Evidence container for the storage media Bit-stream imaging tool Forensic workstation to copy and examine your evidence Securable evidence locker, cabinet, or safe © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 36 classroom use. Analyzing Your Digital Evidence Your job is to recover data from: Deleted files File fragments Complete files Deleted files linger on the disk until new data is saved on the same physical location Tools can be used to retrieve deleted files Autopsy © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 37 classroom use. Completing the Case Keep a written journal of everything you do Your notes can be used in court Answer the six Ws: Who, what, when, where, why, and how You must also explain computer and network processes Autopsy Report Generator Can generate reports in different styles: plain text, HTML and Excel © 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 38 classroom use.

Guide to Computer Forensics and Investigations PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue