Chapter 20 - 05 - Discuss Various Forensic Investigation Phases - 03_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Investigation Phase: Planning the Search and Seizure

A search and seizure plan should contain the following details:

° Description of the incident ° Creating a chain of custody document

° Case name or title of the incident ° Details of equipment to be seized

° Location of the incident ° Search and seizure type (overt/covert)

o Applicable jurisdiction and relevant legislation ° Approval from local management

° Determining the extent of authority to search ° Health and safety precautions

Investigation Phase: Planning the Search and Seizure
The investigators need to design a strategic process to conduct the search and seizure activity.
This will help them distribute tasks among the team members to complete the seizure and
allow the team to use time and tools in a well-defined manner.

The search and seizure plan should include the following details:
= Description, title, and location of the incident

= Applicable jurisdiction, relevant legislation, and organizational policy
= Determining the extent of authority to search
= (Creating a chain of custody document
= Details of equipment to be seized, such as structure type and size, location (all in one
place, spread across the building or floors), type of device and model number, power
status, network status and type of network, backups (if any), last time and date, location
of backup and if it is necessary to take the server down and the business impact of this
action

= Search and seizure type (overt/covert)
= Approval from the local management
= Health and safety precautions, such as all forensic teams wearing protective latex gloves
for all searching and seizing operations onsite to protect the staff and preserving any
fingerprints that may come handy in the future

Module 20 Page 2215 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

The investigating team cannot jump into the action immediately after chalking out a plan for
search and seizure; they must follow a specific protocol and perform some legal formalities that
include obtaining warrant, collecting information about the incident, and seeking authorization
and consent.

Module 20 Page 2216 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Investigation Phase: Evidence
Preservation
@ Evidence preservation refers to the proper handling and
d documentation of evidence to ensure that it is free from
any contamination

T Any physical and/or digital evidence seized should be
isolated, secured, transported and preserved to protect
- its true state

At the time of evidence transfer, both the sender and the
receiver need to provide information about the date and
time of transfer in the chain of custody record

The procedures used to protect the evidence and document
it while collecting and shipping are as follows:
* The logbook of the project

» A tag to uniquely identify any evidence

»* A chain of custody record

Investigation Phase: Evidence Preservation
Understanding the importance of preserving evidence is important because forensic evidence is
fragile in nature and can be easily tampered with. It is essential to safeguard the integrity of the
evidence to render it acceptable in a court of law.

The handling and preservation of evidence are some of the most significant aspects of digital
forensic investigation. Investigators should take all necessary steps to ensure that the evidence
remains in its true state, exactly as it was found at the crime scene.

At the time of evidence transfer, both the sender and the receiver need to provide information
about the date and time of transfer in the chain of custody record.
The following are required to protect the evidence and document it while collecting and
shipping:
= The logbook of the project to record observations related to the evidence
= Atagto uniquely identify any evidence
= A chain of custody record

Module 20 Page 2217 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Investigation Phase: Data
Acquisition

Forensic data acquisition is a process of imaging or collecting
information from various media in accordance with certain
©

standards for analyzing its forensic value

Investigators can then forensically process and
examine the collected data to extract information
©

relevant to any particular case or incident while
protecting the integrity of the data

It is one of the most critical steps of digital forensics as
improper acquisition may alter data in evidence media,
©)

and render it inadmissible in the court of law

@ Investigators should be able to verify the accuracy of acquired
data, and the complete process should be auditable and
acceptable to the court

Investigation Phase: Data Acquisition
During the investigation of digital devices, all the evidence may be present in the form of data.
Therefore, the investigators should have expertise in acquiring the data stored across various
devices in different forms.

Data acquisition is the use of established methods to extract Electronically Stored Information
(ESI) from a suspect computer or storage media in order to gain insight into a crime or an
incident. Forensic data acquisition is a process of imaging or collecting information from various
media in accordance with certain standards in order to analyze its forensic value. Investigators
can then forensically process and examine the collected data to extract information relevant to
any particular case or incident while protecting the integrity of the data. It is one of the most
critical steps of digital forensics as any improper acquisition may alter data in evidence media
and render it inadmissible in the court of law.

Forensic investigators should be able to verify the accuracy of acquired data, and the complete
process should be acceptable and reproducible in the court.

Before acquiring the data, the investigator needs to ensure that their storage device is
forensically clean and then initiate write protection to secure and protect original evidence.

Module 20 Page 2218 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Investigation Phase: Data Analysis
" 2 WY ’/' y vs i J:.
L

OQO This phase includes the following:

= Analysis of the file’s content, date
0O
O Data analysis techniques depend and time of file creation and
on the scope of the case or the modification, users associated with
file creation, access and file
client’s requirements at -
QO Data analysis refers to the process @
client’s requirements :"Odlflcat'?nr; and
modification, a?tli physical
physical storage
storage
of examining,
exarr?inlng, ident‘ifylng,
identifying, — location
ocation ofof the
the filefile. _ e |
separating, converting, and *= Timeline generation.m°de“n§ data to isolate useful
f“°d°""§ *= |dentification of the root cause of
information the incident
the incident

Investigation Phase: Data Analysis
Data analysis refers to the process of examining, identifying, separating, converting, and
modeling data to isolate useful information. In the forensic investigation, data analysis helps in
gathering and examining data to find its relevance with the incident in order to submit the
findings to an authority for conclusions and decision-making.
Investigators must thoroughly analyze the acquired data to draw conclusions related to the
case. Here, data analysis techniques depend on the scope of the case or client’s requirements
and the type of evidence.
This phase includes the following:

*= Analyzing the file content for data usage
= Analyzing the date and time of file creation and modification
* Finding the users associated with file creation, access, and file modification
= Determining the physical storage location of the file
= Timeline generation
= |dentifying the root cause of the incident
Identify and categorize data in order of relevance to the case, such that the most relevant data
serve as the most important evidence to the case.

Module 20 Page 2219 Certified Cybersecurity Technician Copyright © by EG-Council
EG-Bouncil
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Computer Forensics

Investigation
Phase: Case
Analysis

Investigators can relate the evidential data to the case details for understanding how the complete
incident took place and determining the future actions such as the following:

Determine the possibility of exploring Gather additional information Consider the relevance of
other investigative procedures to gather related to the case (e.g., aliases, D components that are out of the
additional evidence (e.g., checking host email accounts, ISP used, names, scope of investigation; for
data and examining network service logs network configuration, system example, equipment such as
for any information of evidentiary value, logs, and passwords) by laminators, check paper,
collecting case-specific evidence from interviewing the respective scanners, and printers in case of
social media, identifying remote storage individuals any fraud; or digital cameras in
locations etc.) case of child pornography

Copyright ©© by
Copyright by EE IL.. All
All Rights
Rights Reserved.
Reserved. Reproduction
ReproductionIsis Strictly
Strictly Prohibited,
Prohibited. }|

Investigation Phase: Case Analysis
Case analysis is the process of relating the obtained evidential data to the case in order to
understand how the complete incident took place. In this phase, the investigator assesses the
impact of the incident on the organization, reasons and source of the incident, steps required
to tackle the incident, the investigating team required to handle the case, investigative
procedures, and possible outcome of the forensic process. Case analysis is important to
implement a proper plan in handling the case and achieving the desired results. Case analysis
might help the investigators in determining future actions, such as the following:
= Check if there is a possibility to follow other investigative methods to, for instance,
identify a remote storage location, examine network service logs for any information of
evidentiary value, collect case-specific evidence from social media, identifying remote
storage locations etc.)

= Gather additional information related to the case (e.g., aliases, email accounts, ISP used,
names, network configuration, system logs, and passwords) by interviewing the
respective individuals.

= |dentify the relevance of various network elements to the crime scene such as credit
cards, check papers, scanners, and cameras
= Consider the relevance of peripheral components to the investigation; for instance, in
forgery or fraud cases, consider non-computer equipment such as laminators, check
paper, scanners, and printers, or in child pornography cases, consider digital cameras

Module 20 Page 2220 Certified Cybersecurity Technician Copyright © by EG-Gouncil
All Rights Reserved. Reproduction is Strictly Prohibited.