Computer Forensics - Certified Cybersecurity Technician - Exam 212-82 PDF

Summary

This document discusses computer forensics investigation phases. It includes detailed information about the pre-investigation phase, such as planning and budgeting considerations, physical and structural design, and work area considerations. The document also covers topics such as physical security, human resource considerations and discusses the importance of the computer forensics lab.

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow @ ! Understand the Fundamentals of Computer Forensics...

Certified Cybersecurity Technician Exam 212-82 Computer Forensics Module Flow @ ! Understand the Fundamentals of Computer Forensics ! Digital Evidence. Sources Digital Evidence gi to Support Forensic Investigation § S——— —— ,.A\ Understand Digital Understand Digital Evidence Evidence /_/N 02) Collecting the Evidence Identify the Roles and /\. Responsibilities of a Forensic () (). Securing the Evidence Investigator \ Understand the Forensic k/ Overview of Data @ Investigation Process and @] \ / ‘ (n):ervil ft;; :fData Acquisition its Importance " V‘ Discuss Various Forensic Discuss Various Forensic o Performing Evidence Performing Evidence Investigation Phases Analysis. L] Discuss Various Forensic Investigation Phases This section explains the phases involved in the computer forensics investigation process. Module 20 Page 2204 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Pre-investigation Phase: Setting Up a Computer Forensics Lab /\ A Computer Forensics Lab (CFL) is a location that houses instruments, software and hardware tools, and forensic m workstations required for conducting a computer-based investigation with regard to the collected evidence 1 e = e 2 el [ 3 ]| Planning & budgeting Physical & Structural design Work area considerations considerations considerations v" Number of expected cases v Labsize v Workstation requirement v Type of investigation v’v Access to essential services v' Ambience v' Manpower v Space estimation for work area and v Internet, network and communication line v Equipment and software requirement evidence storage v Lighting systems and emergency power ¥’¥ Heating, ventilation, and air-conditioning 4 ) 6 Physical security considerations Human resource considerations Forensic lab licensing v’ Electronic sign-in v" Number of required personnel v"v' ASCLD/LAB accreditation v Intrusion alarm systems v’ Training and certification v' I1SO/IEC 17025 accreditation ISO/IEC v’ Fire suppression systems Pre-investigation Phase The pre-investigation phase involves all the tasks performed prior to the commencement of the actual investigation. This phase includes steps such as planning the process, defining mission goals, and getting approval from relevant authority. This section discusses all the steps that, together, form the pre-investigation phase. Pre-investigation Phase: Setting Up a Computer Forensics Lab A computer forensics lab (CFL) is a designated location for conducting a computer-based investigation of the collected evidence in order to solve the case and find the culprit. The lab houses the instruments, software and hardware tools, and the forensic workstations required to perform investigation of all types. 1. Planning and budgeting considerations o Types of Investigations: Choose the types of crimes for the lab to investigate based on the crime statistics of the previous year and the expected trend such as criminal, civil, and corporate. If the investigation is for a corporation, then decide if it will be only internal or both internal and external. This will help in the estimation of the number of expected cases and allocation of physical resources as well as the budget. o Number of Investigators/Examiners: The number of investigators needed depends on the forensic case. Hiring trained and certified professionals is important for performing proper investigations. o Equipment Requirement: The forensics lab should have both forensic and non- forensic workstations for investigative purposes. A safe locker large enough to store equipment required for the forensic investigation should be available in the lab. This Module 20 Page 2205 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics will help categorize the equipment stored on the rack and help the investigator locate the necessary equipment during the investigation. Safe lockers are also a means to keep equipment safe and protect them from wear and tear, dust, and other foreign particles that may hamper performance. Keep the unused equipment on storage shelves away from the main working area to keep the lab clean and tidy. Software Requirement: Ensure the use of licensed versions of all software required for the forensic investigation at any time during the investigation. Demo versions of forensic software are not preferable, as they offer limited functionality. Having licensed versions also helps investigators during a trial. Use a demo version if and only if it provides full functionality. 2. Physical and structural design considerations o Lab Size: Determining the size of the forensic lab depends largely on the budget and type of cases to be handled. Access to Essential Services: There should be easy access to all the essential services of the lab, including emergency services such as the fire department and other emergency vehicles. It must also have access to shipping and receiving without compromising the physical security of the lab. Space Estimation for Work Area and Evidence Storage: The lab must be large. There must be sufficient space to place all the equipment in the lab such as workstations and evidence storage. Heating, Ventilation, and Air-Conditioning: The environment in the lab such as the humidity, airflow, ventilation, and room temperature also plays an important factor. There must be a high exchange rate of air in the lab in order to maintain fresh air inside the room and prevent unwanted odors in the lab. There must be proper cooling systems installed in the lab to overcome the heat that workstations generate. 3. Work area considerations o] Workstation Requirement: A small-sized forensic lab generally has two workstations and one ordinary workstation with Internet connectivity. However, the requirement of forensics workstations varies according to the types and complexity of cases and processes handled in the lab. o] Ambience: Investigators spend long hours in a forensics lab. Hence, it is of utmost importance that the ambience of the lab is comfortable. Internet, Network, and Communication Line: Install a dedicated Integrated Services Digital Network (ISDN) for network and voice communications. A dedicated network is preferred for the forensic computer, as it requires continuous access to the Internet and other resources on the network. Dial-up Internet access must be available for the workstations in the laboratory. Lighting Systems and Emergency Power: The lab should have emergency power and protection for all equipment from power fluctuations. Lighting systems should be Module 20 Page 2206 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics arranged to increase the productivity of the investigators. Adjust lighting to avoid glare and keep the monitors at an angle of 90 degrees from the windows. 4. Physical security considerations o The level of physical security required for a forensics lab depends on the nature of investigations performed in the lab Maintain a log register at the entrance of the lab to record visitor data such as the address and name of the visitor with date, time, and the purpose of the visit, as well as name of the contact person. Provide visitors with passes to distinguish them from the lab staff and maintain an electronic sign-in log for them. Install an intrusion alarm system in the lab to provide an additional layer of protection and deploy guards around the premises Keep the lab under surveillance by placing closed-circuit cameras in the lab and around its premises Place fire extinguishers within and outside the lab and provide training to the lab personnel and guards on how to use them, in case of a fire Shield workstations from transmitting electromagnetic signals, which is common with electronic equipment. The solution is to shield emissions through a process the US Department of Defense has named TEMPEST. To prevent eavesdropping, TEMPEST labs use sheets of good metallic conductors such as copper for lining the walls, ceilings, and floor. Insulate the power cables to prevent radiation and add filters to the telephones within the lab. 5. Human resource considerations o The overall success of a computer forensics laboratory mainly relies on experience gathering, knowledge sharing, ongoing education, and investment in human resources development Estimate the number of personnel required to deal with the case based on its nature and the skills they should have to complete the tasks Interview the appropriate candidates and recruit them legally. Ensure they have certification pertaining to their job roles. In the case of a computer forensics laboratory, key job roles include lab cybercrime investigator, lab director, forensic technician, and forensic analyst 6. Forensic lab licensing o Forensics labs should be licensed by the concerned authorities to indicate trustworthiness o The authorities provide these licenses after reviewing the lab and the facilities it has for performing investigations o Some such licenses include the American Society of Crime Laboratory Directors (ASCLD)/LAB accreditation and the ISO/IEC 17025 accreditation Module 20 Page 2207 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Pre-investigation Phase: Building the Investigation Team O Keep the to protect the confidentiality of the investigation and to guard against O Identify team members and O Ensure that every team member has the necessary and ijon to conduct assigned tasks O Assign one team member as the technical lead for the i People Involved in an Investigation Team | Photographer Photographs the crime scene and the evidence gathered Incident Responder Responsible for the measures to be taken when an incident occurs Incident Analyzer Analyzes the incidents based on their occurrence Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence Evidence Documenter Documents all the evidence and the phases present in the investigation process Evidence Manager Manages the evidence in such a way that it is admissible in the court of law [ ‘ Expert Witness Offers a formal opinion in the form of a testimony in the court of law. Attorney Provides legal advice Copyright © by cll. All Rights Reserved. Reproduction Is Strictly Strictly Prohibited. Prohibited Pre-investigation Phase: Building the Investigation Team The investigation team plays a major role in solving a case. The team is responsible for evaluating the crime, evidence, and criminals. Every team member should be assigned a few specific tasks (roles and responsibilities) that let the team analyze the incident easily. The guidelines for building the investigation team are as follows: = |dentify the team members and assign them responsibilities = Appoint a person as the technical lead for the investigation = Keep the investigation team as small as possible to achieve confidentiality and avoid information leaks = Provide each team member with the necessary clearance and authorization to complete the assigned tasks =* Enlist help from a trusted external investigation team, if required To find the appropriate evidence from a variety of computing systems and electronic devices, the following people may be involved: =* Photographer: The photographer photographs the crime scene and the evidence gathered. They should have an authentic certification. This person is responsible for shooting all the evidence found at the crime scene, which records the key evidence in the forensics process. =* Incident Responder: The incident responder is responsible for the measures taken when an incident occurs. This individual is responsible for securing the incident area and collecting the evidence that is present at the crime scene. They should disconnect the system from other systems to stop the spread of the incident to other systems. Module 20 Page 2208 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics * Incident Analyzer: The incident analyzer analyzes the incidents based on the occurrence. They examine the incident as per its type, how it affects the systems, the different threats and vulnerabilities associated with it, etc. *= Evidence Examiner/Investigator: The evidence examiner examines the evidence acquired and sorts it based on usefulness and relevance into a hierarchy that indicates the priority of the evidence. = Evidence Documenter: The evidence documenter documents all the evidence and the phases present in the investigation process. They gather information from all the people involved in the forensics process and document it in an orderly fashion, from incident occurrence to the end of the investigation. The documents should contain complete information about the forensics process. = Evidence Manager: The evidence manager manages the evidence. They have all the information about the evidence, for example, evidence name, evidence type, time, and source of evidence. They manage and maintain a record of the evidence such that it is admissible in the court of law. = Expert Witness: The expert witness offers a formal opinion as a testimony in a court of law. Expert witnesses help authenticate the facts and other witnesses in complex cases. They also assist in cross-examining witnesses and evidence, as various factors may influence a normal witness. = Attorney: The attorney gives legal advice about how to conduct the investigation and address the legal issues involved in the forensic investigation process. Module 20 Page 2209 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser