Chapter 20 - 05 - Discuss Various Forensic Investigation Phases - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Module Flow

@ ! Understand the Fundamentals
of Computer Forensics
! Digital Evidence. Sources
Digital Evidence
gi
to Support Forensic
Investigation
§ S———

——
,.A\

Understand Digital
Understand Digital Evidence
Evidence /_/N 02) Collecting the Evidence

Identify the Roles and /\. Responsibilities of a Forensic () (). Securing the Evidence
Investigator \

Understand the Forensic k/
Overview of Data
@ Investigation Process and @] \ / ‘ (n):ervil ft;; :fData
Acquisition
its Importance

" V‘
Discuss Various Forensic
Discuss Various Forensic o Performing Evidence
Performing Evidence
Investigation Phases Analysis. L]

Discuss Various Forensic Investigation Phases
This section explains the phases involved in the computer forensics investigation process.

Module 20 Page 2204 Certified Cybersecurity Technician Copyright © by EG-Council
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Pre-investigation Phase: Setting Up a Computer Forensics Lab
/\ A Computer Forensics Lab (CFL) is a location that houses instruments, software and hardware tools, and forensic
m workstations required for conducting a computer-based investigation with regard to the collected evidence

1 e
= e
2
el [
3 ]|
Planning & budgeting Physical & Structural design Work area considerations
considerations considerations
v" Number of expected cases v Labsize v Workstation requirement
v Type of investigation v’v Access to essential services v' Ambience
v' Manpower v Space estimation for work area and v Internet, network and communication line
v Equipment and software requirement evidence storage v Lighting systems and emergency power
¥’¥ Heating, ventilation, and air-conditioning

4 ) 6
Physical security considerations Human resource considerations Forensic lab licensing
v’ Electronic sign-in v" Number of required personnel v"v' ASCLD/LAB accreditation
v Intrusion alarm systems v’ Training and certification v' I1SO/IEC 17025 accreditation
ISO/IEC
v’ Fire suppression systems

Pre-investigation Phase
The pre-investigation phase involves all the tasks performed prior to the commencement of the
actual investigation. This phase includes steps such as planning the process, defining mission
goals, and getting approval from relevant authority.
This section discusses all the steps that, together, form the pre-investigation phase.
Pre-investigation Phase: Setting Up a Computer Forensics Lab
A computer forensics lab (CFL) is a designated location for conducting a computer-based
investigation of the collected evidence in order to solve the case and find the culprit. The lab
houses the instruments, software and hardware tools, and the forensic workstations required
to perform investigation of all types.
1. Planning and budgeting considerations
o Types of Investigations: Choose the types of crimes for the lab to investigate based
on the crime statistics of the previous year and the expected trend such as criminal,
civil, and corporate. If the investigation is for a corporation, then decide if it will be
only internal or both internal and external. This will help in the estimation of the
number of expected cases and allocation of physical resources as well as the budget.
o Number of Investigators/Examiners: The number of investigators needed depends
on the forensic case. Hiring trained and certified professionals is important for
performing proper investigations.
o Equipment Requirement: The forensics lab should have both forensic and non-
forensic workstations for investigative purposes. A safe locker large enough to store
equipment required for the forensic investigation should be available in the lab. This

Module 20 Page 2205 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

will help categorize the equipment stored on the rack and help the investigator
locate the necessary equipment during the investigation. Safe lockers are also a
means to keep equipment safe and protect them from wear and tear, dust, and
other foreign particles that may hamper performance. Keep the unused equipment
on storage shelves away from the main working area to keep the lab clean and tidy.
Software Requirement: Ensure the use of licensed versions of all software required
for the forensic investigation at any time during the investigation. Demo versions of
forensic software are not preferable, as they offer limited functionality. Having
licensed versions also helps investigators during a trial. Use a demo version if and
only if it provides full functionality.
2. Physical and structural design considerations
o Lab Size: Determining the size of the forensic lab depends largely on the budget and
type of cases to be handled.
Access to Essential Services: There should be easy access to all the essential services
of the lab, including emergency services such as the fire department and other
emergency vehicles. It must also have access to shipping and receiving without
compromising the physical security of the lab.
Space Estimation for Work Area and Evidence Storage: The lab must be large. There
must be sufficient space to place all the equipment in the lab such as workstations
and evidence storage.
Heating, Ventilation, and Air-Conditioning: The environment in the lab such as the
humidity, airflow, ventilation, and room temperature also plays an important factor.
There must be a high exchange rate of air in the lab in order to maintain fresh air
inside the room and prevent unwanted odors in the lab. There must be proper
cooling systems installed in the lab to overcome the heat that workstations
generate.
3. Work area considerations

o] Workstation Requirement: A small-sized forensic lab generally has two workstations
and one ordinary workstation with Internet connectivity. However, the requirement
of forensics workstations varies according to the types and complexity of cases and
processes handled in the lab.
o] Ambience: Investigators spend long hours in a forensics lab. Hence, it is of utmost
importance that the ambience of the lab is comfortable.
Internet, Network, and Communication Line: Install a dedicated Integrated Services
Digital Network (ISDN) for network and voice communications. A dedicated network
is preferred for the forensic computer, as it requires continuous access to the
Internet and other resources on the network. Dial-up Internet access must be
available for the workstations in the laboratory.
Lighting Systems and Emergency Power: The lab should have emergency power and
protection for all equipment from power fluctuations. Lighting systems should be

Module 20 Page 2206 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

arranged to increase the productivity of the investigators. Adjust lighting to avoid
glare and keep the monitors at an angle of 90 degrees from the windows.
4. Physical security considerations
o The level of physical security required for a forensics lab depends on the nature of
investigations performed in the lab
Maintain a log register at the entrance of the lab to record visitor data such as the
address and name of the visitor with date, time, and the purpose of the visit, as well
as name of the contact person. Provide visitors with passes to distinguish them from
the lab staff and maintain an electronic sign-in log for them.
Install an intrusion alarm system in the lab to provide an additional layer of
protection and deploy guards around the premises

Keep the lab under surveillance by placing closed-circuit cameras in the lab and
around its premises
Place fire extinguishers within and outside the lab and provide training to the lab
personnel and guards on how to use them, in case of a fire
Shield workstations from transmitting electromagnetic signals, which is common
with electronic equipment. The solution is to shield emissions through a process the
US Department of Defense has named TEMPEST. To prevent eavesdropping,
TEMPEST labs use sheets of good metallic conductors such as copper for lining the
walls, ceilings, and floor. Insulate the power cables to prevent radiation and add
filters to the telephones within the lab.
5. Human resource considerations

o The overall success of a computer forensics laboratory mainly relies on experience
gathering, knowledge sharing, ongoing education, and investment in human
resources development

Estimate the number of personnel required to deal with the case based on its nature
and the skills they should have to complete the tasks
Interview the appropriate candidates and recruit them legally. Ensure they have
certification pertaining to their job roles.
In the case of a computer forensics laboratory, key job roles include lab cybercrime
investigator, lab director, forensic technician, and forensic analyst
6. Forensic lab licensing
o Forensics labs should be licensed by the concerned authorities to indicate
trustworthiness
o The authorities provide these licenses after reviewing the lab and the facilities it has
for performing investigations
o Some such licenses include the American Society of Crime Laboratory Directors
(ASCLD)/LAB accreditation and the ISO/IEC 17025 accreditation

Module 20 Page 2207 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Pre-investigation Phase:
Building the Investigation Team

O Keep the to protect the confidentiality of the investigation and to guard against
O Identify team members and
O Ensure that every team member has the necessary and ijon to conduct assigned tasks
O Assign one team member as the technical lead for the i

People Involved in an Investigation Team
| Photographer Photographs the crime scene and the evidence gathered

Incident Responder Responsible for the measures to be taken when an incident occurs

Incident Analyzer Analyzes the incidents based on their occurrence

Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence

Evidence Documenter Documents all the evidence and the phases present in the investigation process

Evidence Manager Manages the evidence in such a way that it is admissible in the court of law [ ‘

Expert Witness Offers a formal opinion in the form of a testimony in the court of law. Attorney Provides legal advice

Copyright © by cll. All Rights Reserved. Reproduction
Is Strictly
Strictly Prohibited.
Prohibited

Pre-investigation Phase: Building the Investigation Team
The investigation team plays a major role in solving a case. The team is responsible for
evaluating the crime, evidence, and criminals. Every team member should be assigned a few
specific tasks (roles and responsibilities) that let the team analyze the incident easily. The
guidelines for building the investigation team are as follows:

= |dentify the team members and assign them responsibilities
= Appoint a person as the technical lead for the investigation
= Keep the investigation team as small as possible to achieve confidentiality and avoid
information leaks
= Provide each team member with the necessary clearance and authorization to complete
the assigned tasks

=* Enlist help from a trusted external investigation team, if required

To find the appropriate evidence from a variety of computing systems and electronic devices,
the following people may be involved:

=* Photographer: The photographer photographs the crime scene and the evidence
gathered. They should have an authentic certification. This person is responsible for
shooting all the evidence found at the crime scene, which records the key evidence in
the forensics process.
=* Incident Responder: The incident responder is responsible for the measures taken when
an incident occurs. This individual is responsible for securing the incident area and
collecting the evidence that is present at the crime scene. They should disconnect the
system from other systems to stop the spread of the incident to other systems.

Module 20 Page 2208 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

* Incident Analyzer: The incident analyzer analyzes the incidents based on the
occurrence. They examine the incident as per its type, how it affects the systems, the
different threats and vulnerabilities associated with it, etc.

*= Evidence Examiner/Investigator: The evidence examiner examines the evidence
acquired and sorts it based on usefulness and relevance into a hierarchy that indicates
the priority of the evidence.

= Evidence Documenter: The evidence documenter documents all the evidence and the
phases present in the investigation process. They gather information from all the people
involved in the forensics process and document it in an orderly fashion, from incident
occurrence to the end of the investigation. The documents should contain complete
information about the forensics process.

= Evidence Manager: The evidence manager manages the evidence. They have all the
information about the evidence, for example, evidence name, evidence type, time, and
source of evidence. They manage and maintain a record of the evidence such that it is
admissible in the court of law.

= Expert Witness: The expert witness offers a formal opinion as a testimony in a court of
law. Expert witnesses help authenticate the facts and other witnesses in complex cases.
They also assist in cross-examining witnesses and evidence, as various factors may
influence a normal witness.

= Attorney: The attorney gives legal advice about how to conduct the investigation and
address the legal issues involved in the forensic investigation process.

Module 20 Page 2209 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.