Chapter 4: Acquiring Evidence In A Computer Forensics Lab PDF

Summary

This document provides an overview and details about computer forensic labs, including requirements, equipment, and methods of acquiring and handling digital evidence for investigating cybercrimes, specifically focusing on financial frauds. It also describes tools and procedures for acquiring and analyzing digital evidence, including the use of UNIX commands.

Full Transcript

DHP 3363
DIGITAL FORENSICS

Chapter 4
Acquiring Evidence in a Computer
Forensics Lab
Lesson #: 4
Objectives
 Learn what is needed to have a computer forensics laboratory certified
 Understand good practices for managing and processing evidence in a
computer forensics laboratory
 Learn how a computer forensics laboratory should be structured
 Understand computer forensics laboratory requirements for hardware
and software
 Learn proper ways to acquire, handle, and analyze digital evidence
 Understand methods for investigating financial fraud
 Understand how to use UNIX commands to scour files for particular
information of interest
 Acquiring Evidence in a Computer
Forensics Lab
 The creation of a computer forensics laboratory, with all the necessary
equipment, is an important part of evidence handling, acquisition, and
analysis.
 Although notable differences might exist between one computer forensics
laboratory and another, there are still similarities in basic requirements
and guidelines for forensics laboratories.
 This ensures that certain standards are maintained in terms of equipment
and the industry standards for utilizing that equipment.
 Standard practices do exist and are assessed and certified by an
independent body known as the American Society of Crime Laboratory
Directors.
 ASCLD is a nonprofit organization that provides a set of guidelines and
standards for forensic labs.
 ASCLD is not an accrediting body and should not be confused with
ASCLD/LAB.
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
 ASCLD/LAB was originally a committee within ASCLD when it was
created in 1981.
 Since 1982, it has been accrediting crime labs.
 In 1984, ASCLD/LAB became a separate nonprofit entity with its own
board of directors.
 It currently certifies labs for federal, state, and local agencies, as well as
some crime labs based outside the United States.
 The certification process of crime labs includes computer forensics labs.
 ASCLD/LAB strives to maintain certain standards for forensics labs,
including standards that govern the behavior and practices of lab
employees and their managers.
 ASCLD/LAB also promotes a code of ethics for lab staff and
management.
Acquiring Evidence in a Computer
Forensics Lab (cont.)

 Private Sector Computer Forensics Laboratories
– Evidence Acquisition
– Email Preparation
– Inventory Control
– Web Hosting
Acquiring Evidence in a Computer
Forensics Lab (cont.)
Laboratory Requirements
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
Evidence Locker
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
Digital Evidence
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
UltraBlock SATA/IDE WRITE-BLOCKER
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
SIM Card Reader
Acquiring Evidence in a Computer
Forensics Lab (cont.)
USB-Powered Hard Drive
Acquiring Evidence in a Computer
Forensics Lab (cont.)
Evidence Bags
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
Computer Forensics Laboratory Sign-In
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
UNIX and Linux commands can be used to extract evidence from a
device.
– The Linux operating system is typically free.
– The dd utility can copy data from a source location to a
destination.
– The dd utility is an accepted file format for forensic imaging.
– Global Regular Expressions Print (GREP) is a utility used to
extract data using pattern matching.
– Extended Global Regular Expressions Print (EGREP) allows for
use of operators not found in basic GREP.
– Fast Global Regular Expressions Print (FGREP) interprets
characters literally and is faster than GREP.
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
Financial Fraud
– Credit Card numbering systems using the Major Industry Identifier (MII)
to determine some industry categories
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
The Issuer Identification Number (IIN) refers to the first six digits of a
credit card number.
 Acquiring Evidence in a Computer
Forensics Lab (cont.)
A skimmer is an electronic device used to capture the data from the
magnetic stripe on a debit, credit, or prepaid card.
These devices are often examined in a computer forensics laboratory.
Skimmers have reached epidemic proportions and are used by
identity thieves worldwide.
They are generally battery operated, and although they are illegal in
the United States, they can be easily purchased in Canada or on the
Internet.
A parasite is a point-of-sale skimmer.
An ATM skimmer is used to capture data from the magnetic stripe on
credit cards or ATM cards. The ATM has a false front to capture this
data.
Acquiring Evidence in a Computer
Forensics Lab (cont.)
ATM Fake Card Slot Overlay
Acquiring Evidence in a Computer
Forensics Lab (cont.)
Back of ATM Fake Card Slot Overlay with Skimmer Device
Chapter 4:
Summary
 Learned what is needed to have a computer forensics laboratory certified
 Reviewed good practices for managing and processing evidence in a
computer forensics laboratory
 Reviewed how a computer forensics laboratory should be structured
 Reviewed computer forensics laboratory requirements for hardware and
software
 Learned proper ways to acquire, handle, and analyze digital evidence
 Reviewed methods for investigating financial fraud
 Reviewed how to use UNIX commands to scour files for particular
information of interest

Next Lesson: Chapter 5, “Online Investigations”