Chapter 20 - 05 - Discuss Various Forensic Investigation Phases - 02_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
OCR
Tags
Related
- Chapter 20 - 01 - Understand the Fundamentals of Computer Forensics - 01_ocred_fax_ocred.pdf
- Chapter 20 - 02 - Understand Digital Evidence - 02_ocred_fax_ocred.pdf
- Chapter 20 - 04 - Understand the Forensic Investigation Process and its Importance_ocred_fax_ocred.pdf
- Chapter 20 - 05 - Discuss Various Forensic Investigation Phases - 01_ocred_fax_ocred.pdf
- Chapter 20 - 06 - Digital Evidence Sources to Support Forensic Investigation - 01_ocred_fax_ocred.pdf
- Chapter 20 - 06 - Digital Evidence Sources to Support Forensic Investigation - 03_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Pre-investigation Phase: Understanding the Hardware and Software Requirements of a Forensic Lab O Adigital fo...
Certified Cybersecurity Technician Exam 212-82 Computer Forensics Pre-investigation Phase: Understanding the Hardware and Software Requirements of a Forensic Lab O Adigital forensic lab should have all the necessary hardware and software tools to support the investigation process, starting from searching and seizing the evidence to reporting the outcome of the analysis @ Hardware Software » Two or more forensic workstations with good OSes processing power and RAM Data discovery tools VVVVYVVVVVYY —— » Specialized cables Password-cracking tools » Write-blockers and drive duplicators Acquisition tools » Archive and Restore devices Data analyzers » Media sterilization systems Data recovery tools » Other equipment that allow forensic software S File viewers (Image and graphics) tools to work File type conversion tools Computer Forensic hardware toolkit, such as v Paraben’s First Responder Bundle, DeepSpar Security and Utilities software Disk Imager, FRED forensic workstation etc. Computer forensic software tools such as Wireshark, Access Data’s FTK etc. Pre-investigation Phase: Understanding the Hardware and Software Requirements of a Forensic Lab A digital forensic lab should have all the necessary hardware and software tools to support the investigation process, starting from searching and seizing the evidence to reporting the outcome of the analysis. Familiarity with the investigation toolkit makes the entire process quicker and more efficient. A sophisticated investigation toolkit that includes both hardware and software can reduce the incident impact by stopping the incident from spreading to other systems. This will minimize the organization’s damage and aid the investigation process as well. Hardware = Two or more forensic workstations with good processing power and RAM = Specialized cables = Write-blockers = Drive duplicators = Archive and Restore devices = Media sterilization systems = QOther equipment that allows forensic software tools to work = Computer Forensic hardware toolkit, such as Paraben's First Responder Bundle, DeepSpar Disk Imager, FRED forensic workstation etc. Module 20 Page 2210 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Software = OSes OSes = Data discovery tools = Password-cracking tools = Acquisition tools = Data analyzers = Data recovery tools = File viewers (Image and graphics) = File type conversion tools = Security and Utilities software = Computer Computer forensic software tools such as Wireshark, Access Data’s FTK, etc. Module 20 Page 2211 Module 2211 Certified Cybersecurity Certified Cybersecurity Technician Technician Copyright Copyright ©© by EG-Council EG-Gounell All Rights Reserved. Reproduction isis Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Computer Forensics Investigation Methodology 1 2 3 Documenting the Search Evidence Electronic Crime Scene and Seizure Preservation INVES TE J L 6 5 4 Case Analysis ' Data Analysis ' Data Acquisition Testifying as an Expert Witness Investigation Phase After obtaining the required permissions and having assessed the case prerequisites, the investigator is ready to investigate the incident. The investigation phase and post investigation phase include various stages and processes that need careful and systematic execution to obtain better results. Each step in this phase is equally crucial for the acceptance of the evidence in a court of law and prosecution of the perpetrators. This section discusses in detail all the stages, starting from the documentation of the electronic crime scene to the analysis of evidential data, which are crucial in the investigation phase. Investigation Phase: Computer Forensics Investigation Methodology 1 2 3 Documenting the ’ Search ‘ Evidence Electronic Crime Scene and Seizure Preservation Case Analysis l Data Analysis l Data Acquisition » Testifying as an Reporting Expert Witness Figure 20.1: Computer forensics investigation methodology Module 20 Page 2212 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Certified Cybersecurity Technician Technician Exam Exam 212-82 212-82 Computer Forensics Computer Forensics Investigation Phase: Investigation Phase: Documenting the Documenting the Electronic Electronic Crime Scene Crime Scene OQ Documentation Documentation ofof thethe electronic electronic crime crime scene scene isis necessary toto maintain necessary maintain a a record record ofof allall the the forensic forensic investigation processes investigation processes performed performed toto identify, identify, extract, analyze, and preserve the evidence extract, analyze, and preserve the evidence Points toto remember Points remember when when documenting the documenting the crime crime scene scene Document the Document the physical physical crime crime scene, scene, noting noting the the position position ofof the the system and other equipment, system and other equipment, ifif any any Document details Document details ofof any any related related oror difficult-to-find difficult-to-find electronic electronic components components Record the Record the state state ofof computer computer systems, systems, digital digital storage storage media, media, and electronic and electronic devices, devices, including including their their power power status status Copyright Copyright ©© by by EC EC-( cll.Cll. All All Rights Rights Reserved. Reserved. Reproduction ReproductionIsIs Strictly Prohibited Strictly Prohibited Investigation Phase: Documenting Investigation Documenting the Electronic Electronic Crime Scene investigation processes investigation processes applied applied to identify, extract, analyze, and preserve the the evidence. evidence. The The details should include details should include thethe location location of the crime, status of the system, connected connected network network devices, storage devices, storage media, media, smartphones, smartphones, mobile phones, PDAs, Internet, and network access. access. The The documen documentt will will help help trace the serial numbers or other identifie identifiers of the rs of the procured procured devices. devices. Documen ting also includes taking photogra Documenting phs, videos, notes, and photographs, sketches of the the scene inin scene order order toto recreate recreate it later. The investigator needs to documen investigator document t the processess processe and activities activities running running on on the the display screens. The The crime crime scene scene documen tation should documentation should contain compreh ensive details comprehensive details of of the the investig investigation. ation. Points Points toto consider consider while while documen ting the documenting the electroni electronic crime scene c crime scene are are asas follows: follows: Documen tation ofof the Documentation the electron ic crime electronic crime scene scene isis aa continu continuous process during ous process during the the investig ation that makes investigation that makes aa permane permanentnt record record ofof the the scene scene ItIt isis essentia l toto properly essential properly note note down down the the site site and and state state ofof compute computers, digital storage rs, digital storage media, media, and and other other electroni c devices electronic devices Documen Documentt the the physical physical crime crime scene, scene, noting noting the the position position ofof the the system system and and other other equipment, equipment, ifif any any Documen Document t details details ofof any any related, related, difficult difficult-to-find electronic -to-find electroni components c compone nts Record Record the the state state ofof the the compute computerr system, system, digital digital storage storage media, media, electron electronic devices, and ic devices, and predicta ble evidence , includin predictable evidence, including g the the power power status status ofof the the compute computerr Take Take a a photograph ofof the photograph the compute r monitor’ computer monitor’s screen and s screen and note note down down what what you you see see onon the the screen screen Module Module 2020 Page Page 2213 2213 Certified Cybersecurit Certified Cybersecurity Technician Copyright Copyright © © byby EC-Council EG-Council y Technician AllAllRights Rights Reserved. Reserved. Reproductio Reproduction n is isStrictly StrictlyProhibited. Prohibited. Certified Cybersecurity Technician Exam 212-82 Computer Forensics Investigation Phase: Search and Seizure e ©° Q Planning the search and seizure ® 7O @O0 & "°e Q 0"° v Se ki consent Seeking @:: @ “|‘ e v" Obtaining witness signatures ®\ / ® v" Obtaining warrant for search and O Securing and o\o 0\0 /@ p SEIEEE evaluating the crime o v' Collecting incident information scene 4 1‘ — e > 4 Q Initial search of Q Seizing evidence at crime scene H Eescens Hescens v v' Dealing with powered-on computers - v.y v’ Dealing with powered-off computers ‘ v’ Dealing with networked computers r_-\' v' Operating System shutdown procedure e —— v Dealing with mobiles and other handheld devices Copyright ©© by Copyright by EC G I. All Rights Reserved. Reproduct Investigation Phase: Search and Seizure The investigators should have in-depth knowledge of all the devices that could have played a part in transmitting the attack data to the victim device. They should be able to search for all the involved devices and seize them in a lawful manner for the acquisition and analysis of the evidential data. The following diagram depicts the search and seizure process flow: OQ Planning the search and seizure 4 Seeking consent v Obtaining witness signatures v Obtaining warrant for search and O Securing and seizure evaluating the crime Collecting incident information scene v v Q Initial search of Q Seizing evidence at crime scene the scene ;. v" Dealing with powered-on computers v Dealing with powered-off computers Dealing with networked computers Operating System shutdown procedure < Dealing with mobiles and other handheld < devices Figure 20.2: Search and seizure process flow diagram Module 20 Page 2214 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.
