Computer Foundations (12 files merged).pdf

Chapter 2. Computer Foundations The goal of this chapter is to cover the low-level basics of how computers operate. In the following chapters of this book, we examine, in detail, how data are stored, and this chapter provides background information for those who do not have programming or operating system design experience. This chapter starts with a discussion about data and how they are organized on disk. We discuss binary versus hexadecimal values and little- and big-endian ordering. Next, we examine the boot process and code required to start a computer. Lastly, we examine hard disks and discuss their geometry, ATA commands, host protected areas, and SCSI. Data Organization The purpose of the devices we investigate is to process digital data, so we will cover some of the basics of data in this section. We will look at binary and hexadecimal numbers, data sizes, endian ordering, and data structures. These concepts are essential to how data are stored. If you have done programming before, this should be a review. Binary, Decimal, and Hexadecimal First, let's look at number formats. Humans are used to working with decimal numbers, but computers use binary, which means that there are only 0s and 1s. Each 0 or 1 is called a bit, and bits are organized into groups of 8 called bytes. Binary numbers are similar to decimal numbers except that decimal numbers have 10 different symbols (0 to 9) instead of only 2. Before we dive into binary, we need to consider what a decimal number is. A decimal number is a series of symbols, and each symbol has a value. The symbol in the right-most column has a value of 1, and the next column to the left has a value of 10. Each column has a value that is 10 times as much as the previous column. For example, the second column from the right has a value of 10, the third has 100, the fourth has 1,000, and so on. Consider the decimal number 35,812. We can calculate the decimal value of this number by multiplying the symbol in each column with the column's value and adding the products. We can see this in Figure 2.1. The result is not surprising because we are converting a decimal number to its decimal value. We will use this general process, though, to determine the decimal value of non-decimal numbers. Figure 2.1. The values of each symbol in a decimal number. The right-most column is called the least significant symbol, and the left-most column is called the most significant symbol. With the number 35,812, the 3 is the most significant symbol, and the 2 is the least significant symbol. Now let's look at binary numbers. A binary number has only two symbols (0 and 1), and each column has a decimal value that is two times as much as the previous column. Therefore, the right-most column has a decimal value of 1, the second column from the right has a decimal value of 2, the third column's decimal value is 4, the fourth column's decimal value is 8, and so on. To calculate the decimal value of a binary number, we simply add the value of each column multiplied by the value in it. We can see this in Figure 2.2 for the binary number 1001 0011. We see that its decimal value is 147. Figure 2.2. Converting a binary number to its decimal value. For reference, Table 2.1 shows the decimal value of the first 16 binary numbers. It also shows the hexadecimal values, which we will examine next. Table 2.1. Binary, decimal, and hexadecimal conversion table. Binary Decimal Hexadecimal 0000 00 0 0001 01 1 0010 02 2 Table 2.1. Binary, decimal, and hexadecimal conversion table. Binary Decimal Hexadecimal 0011 03 3 0100 04 4 0101 05 5 0110 06 6 0111 07 7 1000 08 8 1001 09 9 1010 10 A 1011 11 B 1100 12 C 1101 13 D 1110 14 E 1111 15 F Now let's look at a hexadecimal number, which has 16 symbols (the numbers 0 to 9 followed by the letters A to F). Refer back to Table 2.1 to see the conversion between the base hexadecimal symbols and decimal symbols. We care about hexadecimal numbers because it's easy to convert between binary and hexadecimal, and they are frequently used when looking at raw data. I will precede a hexadecimal number with '0x' to differentiate it from a decimal number. We rarely need to convert a hexadecimal number to its decimal value by hand, but I will go through the process once. The decimal value of each column in a hexadecimal number increases by a factor of 16. Therefore, the decimal value of the first column is 1, the second column has a decimal value of 16, and the third column has a decimal value of 256. To convert, we simply add the result from multiplying the column's value with the symbol in it. Figure 2.3 shows the conversion of the hexadecimal number 0x8BE4 to a decimal number. Figure 2.3. Converting a hexadecimal value to its decimal value. Lastly, let's convert between hexadecimal and binary. This is much easier because it requires only lookups. If we have a hexadecimal number and want the binary value, we look up each hexadecimal symbol in Table 2.1 and replace it with the equivalent 4 bits. Similarly, to convert a binary value to a hexadecimal value, we organize the bits into groups of 4 and then look up the equivalent hexadecimal symbol. That is all it takes. We can see this in Figure 2.4 where we convert a binary number to hexadecimal and the other way around. Figure 2.4. Converting between binaryy and hexadecimal requires only lookups from Table 2.1. Sometimes, we want to know the maximum value that can be represented with a certain number of columns. We do this by raising the number of symbols in each column by the number of columns and subtract 1. We subtract 1 because we need to take the 0 value into account. For example, p , with a binaryy number we raise 2 to the number of bits in the value and subtract 1. Therefore, a 32-bit value has a maximum decimal value of 232 - 1 = 4,294,967,295 Fortunately, most computers and low-level editing tools have a calculator that converts between binary, decimal, and hexadecimal, so you do not need to memorize these techniques. In this book, the on-disk data are given in hexadecimal, and I will convert the important values to decimal and provide both. Data Sizes To store digital data, we need to allocate a location on a storage device. You can think of this like the paper forms where you need to enter each character in your name and address in little boxes. The name and address fields have allocated space on the page for the characters in your name. With digital data, bytes on a disk or in memory are allocated for the bytes in a specific value. y is the smallest amount of space that is typically allocated to data. A byte can hold A byte only 256 values, so bytes are grouped together to store larger numbers. Typical sizes include 2, 4, or 8 bytes. Computers differ in how they organize multiple-byte values. Some of them use big-endian ordering and put the most significant byte of the number in the first storage byte, and others use little-endian ordering and put the least significant byte of the number in the first storage byte. Recall that the most significant byte is the byte with the most value (the left-most byte), and the least significant byte is the byte with the least value (the right-most byte). Figure 2.5 shows a 4-byte value that is stored in both little and big endian ordering. The value has been allocated a 4-byte slot that starts in byte 80 and ends in byte 83. When we examine the disk and file system data in this book, we need to keep the endian ordering of the original system in mind. Otherwise, we will calculate the incorrect value. Figure 2.5. A 4-byte value stored in both big- and little-endian ordering. IA32-based systems (i.e., Intel Pentium) and their 64-bit counterparts use the little-endian ordering, so we need to "rearrange" the bytes if we want the most significant byte to be the left-most number. Sun SPARC and Motorola PowerPC (i.e., Apple computers) systems use big-endian ordering. Strings and Character Encoding The previous section examined how a computer stores numbers, but we must now consider how it stores letters and sentences. The most common technique is to encode the characters using ASCII or Unicode. ASCII is simpler, so we will start there. ASCII assigns a numerical value to the characters in American English. For example, the letter 'A' is equal to 0x41, and '&' is equal to 0x26. The largest defined value is 0x7E, which means that 1 byte can be used to store each character. There are many values that are defined as control characters and are not printable, such the 0x07 bell sound. Table 2.2 shows the hexadecimal number to ASCII character conversion table. A more detailed ASCII table can be found at http://www.asciitable.com/. Table 2.2. Hexadecimal to ASCII conversion table. 00 – NULL 10 – DLE 20 – SPC 30 – 0 40 – @ 50 – P 60 – ` 70 – p 01 – SOH 11 – DC1 21 – ! 31 – 1 41 – A 51 – Q 61 – a 71 – q 02 – STX 12 – DC2 22 – " 32 – 2 42 – B 52 – R 62 – b 72 – r 03 – ETX 13 – DC3 23 – # 33 – 3 43 – C 53 – S 63 – c 73 – s 04 – EOT 14 – DC4 24 – $ 34 – 4 44 – D 54 – T 64 – d 74 – t 05 – ENQ 15 – NAK 25 – % 35 – 5 45 – E 55 – U 65 – e 75 – u 06 – ACK 16 – SYN 26 – & 36 – 6 46 – F 56 – V 66 – f 76 – v 07 – BEL 17 – ETB 27 – ' 37 – 7 47 – G 57 – W 67 – g 77 – w 08 – BS 18 – CAN 28 – ( 38 – 8 48 – H 58 – X 68 – h 78 – x 09 – TAB 19 – EM 29 – ) 39 – 9 49 – I 59 – Y 69 – i 79 – y 0A – LF 1A – SUB 2A – * 3A – ; 4A – J 5A – Z 6A – j 7A – z 0B – BT 1B – ESC 2B – + 3B – ; 4B – K 5B – [ 6B – k 7B – { 0C – FF 1C – FS 2C – , 3C – < 4C – L 5C – \ 6C – l 7C – | 0D – CR 1D – GS 2D – - 3D – = 4D – M 5D – ] 6D – m 7D – } 0E – SO 1E – RS 2E –. 3E – > 4E – N 5E – ^ 6E – n 7E – ~ 0F – SI 1F – US 2F – / 3F – ? 4F – O 5F – _ 6F – o 7F – To store a sentence or a word using ASCII, we need to allocate as many bytes as there are characters in the sentence or word. Each byte stores the value of a character. The endian ordering of a system does not play a role in how the characters are stored because these are separate 1-byte values. Therefore, the first character in the word or sentence is always in the first allocated byte. The series of bytes in a word or sentence is called a string. Many times, the string ends with the NULL symbol, which is 0x00. Figure 2.6 shows an example string stored in ASCII. The string has 10 symbols in it and is NULL terminated so it has allocated 11 bytes starting at byte 64. Figure 2.6. An address that is represented in ASCII starting at memory address 64. ASCII is nice and simple if you use American English, but it is quite limited for the rest of the world because their native symbols cannot be represented. Unicode helps solve this problem by using more than 1 byte to store the numerical version of a symbol. (More information can be found at www.unicode.org.) The version 4.0 Unicode standard supports over 96,000 characters, which requires 4-bytes per character instead of the 1 byte that ASCII requires. There are three ways of storing a Unicode character. The first method, UTF-32, uses a 4- byte value for each character, which might waste a lot of space. The second method, UTF-16, stores the most heavily used characters in a 2-byte value and the lesser-used characters in a 4-byte value. Therefore, on average this uses less space than UTF-32. The third method is called UTF-8, and it uses 1, 2, or 4 bytes to store a character. Each character requires a different number of bytes, and the most frequently used bytes use only 1 byte. UTF-8 and UTF-16 use a variable number of bytes to store each character and, therefore, make processing the data more difficult. UTF-8 is frequently used because it has the least amount of wasted space and because ASCII is a subset of it. A UTF-8 string that has only the characters in ASCII uses only 1 byte per character and has the same values as the equivalent ASCII string. Data Structures Before we can look at how data are stored in specific file systems, we need to look at the general concept of data organization. Let's return back to the previous example where we compared digital data sizes to boxes on a paper form. With a paper form, a label precedes the boxes and tells you that the boxes are for the name or address. Computers do not, generally, precede file system data with a label. Instead, they simply know that the first 32 bytes are for a person's name and the next 32 bytes are for the street name, for example. Computers know the layout of the data because of data structures. A data structure describes how data are laid out. It works like a template or map. The data structure is broken up into fields, and each field has a size and name, although this information is not saved with the data. For example, our data structure could define the first field to be called 'number' and have a length of 2 bytes. It is used to store the house number in our address. Immediately after the 'number' field is the 'street' field and with a length of 30 bytes. We can see this layout in Table 2.3. Table 2.3. A basic data structure for the house number and street name. Byte Range Description 0–1 2-byte house number 2–31 30-byte ASCII street name If we want to write data to a storage device, we refer to the appropriate data structure to determine where each value should be written. For example, if we want to store the address 1 Main St., we would first break the address up into the number and name. We would write the number 1 to bytes 0 to 1 of our storage space and then write "Main St." in bytes 2 to 9 by determining what the ASCII values are for each character. The remaining bytes can be set to 0 since we do not need them. In this case, we allocated 32 bytes of storage space, and it can be any where in the device. The byte offsets are relative to the start of the space we were allocated. Keep in mind that the order of the bytes in the house number depends on the endian ordering of the computer. When we want to read data from the storage device, we determine where the data starts and then refer to its data structure to find out where the needed values are. For example, let's read the data we just wrote. We learn where it starts in the storage g device and then apply our data structure template. Here is the output of a tool that reads the raw data. 0000000: 0100 4d61 696e 2053 742e 0000 0000 0000..Main St....... 0000016: 0000 0000 0000 0000 0000 0000 0000 0000................ 0000032: 1900 536f 7574 6820 5374 2e00 0000 0000..South St...... 0000048: 0000 0000 0000 0000 0000 0000 0000 0000................ The previous output is from the xxd Unix tool and is similar to a graphical hex-editor tool. The left column is the byte offset of the row in decimal, the 8 middle columns are 16 bytes of the data in hexadecimal, and the last column is the ASCII equivalent of the data. A '.' exists where there is no printable ASCII character for the value. Remember that each hexadecimal symbol represents 4 bits, so a byte needs 2 hexadecimal symbols. We look up the layout of our data structure and see that each address is 32 bytes, so the first address is in bytes 0 to 31. Bytes 0 to 1 should be the 2 byte number field, and bytes 2 to 31 should be the street name. Bytes 0 to 1 show us the value 0x0100. The data are from an Intel system, which is little-endian, and we will therefore have to switch the order of the 0x01 and the 0x00 to produce 0x0001. When we convert this to decimal we get the number 1. The second field in the data structure is in bytes 2 to 31 and is an ASCII string, which is not effected by the endian ordering of the system, so we do not have to reorder the bytes. We can either convert each byte to its ASCII equivalent or, in this case, cheat and look on the right column to see "Main St.." This is the value we previously wrote. We see that another address data structure starts in byte 32 and extends until byte 63. You can process it as an exercise (it is for 25 South St). Obviously, the data structures used by a file system will not be storing street addresses, but they rely on the same basic concepts. For example, the first sector of the file system typically contains a large data structure that has dozens of fields in it and we need to read it and know that the size of the file system is given in bytes 32 to 35. Many file systems have several large data structures that are used in multiple places. Flag Values There is one last data type that I want to discuss before we look at actual data structures, and it is a flag. Some data are used to identifyy if somethingg exists,, which can be represented p with either a 1 or a 0. An example could be whether a partition is bootable or not. One method of storing this information is to allocate a full byte for it and save the 0 or 1 value. This wastes a lot of space, p , though, g , because only y 1 bit is needed,, yyet 8 bits are allocated. A more efficient method is to ppack several of these binary conditions into one value. Each bit in the value corresponds to a feature or option. p These are frequently q y called flags g because each bit flags g whether a condition is true. To read a flagg value,, we need to convert the number to binary and then examine each bit. If the bit is 1, the flag is set. Let's look at an example by making our previous street address data structure a little more complex. The original data structure had a field for the house number and a field for the street name. Now, we will add an optional 16-byte city name after the street field. Because the city name is optional, we need a flag to identify if it exists or not. The flag is in byte 31 and bit 0 is set when the city exists (i.e., 0000 0001). When the city exists, the data structure is 48 bytes instead of 32. The new data structure is shown in Table 2.4. Table 2.4. A data structure with a flag value. Byte Range Description 0–1 2-byte house number 2–30 29-byte ASCII street name Table 2.4. A data structure with a flag value. Byte Range Description 31–31 Flags 32–47 16-byte ASCII city name (if flag is set) Here is sample data that was written to disk using this data structure: 0000000: 0100 4d61 696e 2053 742e 0000 0000 0000..Main St....... 0000016: 0000 0000 0000 0000 0000 0000 0000 0061...............a 0000032: 426f 7374 6f6e 0000 0000 0000 0000 0000 Boston.......... 0000048: 1800 536f 7574 6820 5374 2e00 0000 0000..South St...... 0000064: 0000 0000 0000 0000 0000 0000 0000 0060...............` On the first line, we see the same data as the previous example. The address is 1 Main St, and the flag value in byte 31 has a value of 0x61. The flag is only 1 byte in size, so we do not have to worry about the endian ordering. We need to look at this value in binary, so we use the lookup table previously given in Table 2.1 and convert the values 0x6 and 0x1 to the binary value 0110 0001. We see that the least significant bit is set, which is the flag for the city. The other bits are for other flag values, such as identifying this address as a business address. Based on the flag, we know that bytes 32 to 47 contain the city name, which is "Boston." The next data structure starts at byte 48, and its flag field is in byte 79. Its value is 0x60, and the city flag is not set. Therefore, the third data structure would start at byte 80. We will see flag values through out file system data structures. They are used to show which features are enabled, which permissions are in effect, and if the file system is in a clean state. Booting Process In the following chapters of this book, we are going to discuss where data reside on a disk and which data are essential for the operation of the computer. Many times, I will refer to boot code, which are machine instructions used by the computer when it is starting. This section describes the boot process and where boot code can be found. Many disks reserve space for boot code, but do not use it. This section will help you to identify which boot code is being used. Central Processing Units and Machine Code The heart of a modern computer is one or more Central Processing Units (CPU). Example CPUs are the Intel Pentium and Itanium, AMD Athlon, Motorola PowerPC, and Sun UltraSPARC. CPUs by themselves are not very useful because they do only what they are told. They are similar to a calculator. A calculator can do amazing things, but a human needs to be sitting in front of it and entering numbers. CPUs gget their instructions from memory. y CPU instructions are written in machine code, which is difficult to read and not user-friendly. IIt is, in general, two levels below the C or Perl programming languages that many people have seen. The level in between is an assembly language, which is readable by humans but still not very user-friendly. I will brieflyy describe machine code so that you y know what you y are lookingg at when you y see machine code on a disk. Each machine code instruction is several bytes long, and the first couple p of bytes y identify y the type yp of instruction,, called the opcode. p For example, p , the value 3 could be for an addition instruction. Following the opcode are the arguments to the instruction. FFor example, the arguments for the addition instruction would be the two numbers to add. We do not reallyy need much more detail than that for this book,, but I will finish with a basic example. p One of the machine instructions is to move values into registers of the CPU. Registers are places where CPUs store data. An A assemblyy instruction to do this is MOV AH,00 where the value 0 is moved into the AH register. g The machine code equivalent q is the hexadecimal value 0xB400 where B4 is the opcode for MOV AH and 00 is the value, in hexadecimal, to move in. There are tools that will translate the machine code to the assembly code for you, but as you can see, it is not always obvious that you are looking at machine code versus some other random data. Boot Code Locations We jjust discussed that the CPU is the heart of the computer p and needs to be fed instructions. Therefore, to start a computer, p we need to have a device that feeds the CPU instructions, also known ass boot code. In most systems, y , this is a two-step process where the first stepp involves getting g g all the hardware upp and running, and the second step involves getting the OS or other software up and running. We will briefly look into boot code because all volume and file systems have a specific location where boot code is stored, and it is not always needed. When ppower is applied to a CPU,, it knows to readd instructions from a specific p location in memory, y,, which is typically yp y Read Onlyy Memoryy ((ROM). ) The instructions in ROM force the system y to probe p for and configure g hardware. After A the hardware is configured, g , the CPU searches for a device that mayy contain additional boot code. If it finds such a device, its boot code is executed, and the code attempts to locate and load a specific operating system. The process after the bootable disk is found is platform-specific, and I will cover it in more detail in the following chapters. As an example, p , though, g , we will take a brief look at the boot process p of a Microsoft Windows system. y When the system y is powered p d on,, the CPU reads instructions from the Basic Input / Output System m (BIOS), and it searches for th thee hard disks, CD drives, and other hardware devices that it has been configured g to support. pp After the hardware has been located,, the BIOS examines the floppy ppy disks,, hard disks, and CDs in some configured order and looks at the first sector for boot code. The code in the first sector of a bootable disk causes the CPU to process the partition table and locate the bootable ppartition where the Windows operating p g system y is located. In the first sector of the partition is more boot code, which locates and loads the actual operating system. We can see how the various components refer to each other in Figure 2.7. Figure 2.7. The relationship among the various boot code locations in an IA32 system. In the Windows example, if the boot code on the disk were missing, the BIOS would not find a bootable device and generate an error. If the boot code on the disk could not find boot code in one of the partitions, it would generate an error. We will examine each of these boot code locations in the following chapters. Day1 Intoduction Computers can be used to commit crimes, and crimes can be recorded on computers, including company policy violations, stealing, e-mail harassment, murder, leaks of proprietary information, and even terrorism. This course covers the followings Understanding the Digital Forensics Profession and Investigations The Investigator's Office and Laboratory. Data Acquisition. Processing Crime and Incident Scenes. Working with Windows and CLI Systems. Current Digital Forensics Tools. Linux and Macintosh File Systems Recovering Graphics Files Digital Forensics Analysis and Validation Virtual Machine Forensics, Live Ac฀ uisitions, and Network Forensics E-mail and Social Media Investigations Mobile Device Forensics and The Internet of Anything Cloud Forensics Report Writing for High-Tech Investigations Labs’ materials Computer Forensics Investigation Process Understanding Hard Disks and File Systems Data Acquisition and Duplication Defeating Anti-forensics Techniques Windows Forensics Linux and Mac Forensics Network Forensics Investigating Web Attacks Dark Web Forensics Database Forensics Cloud Forensics Investigating Email Crimes Malware Forensics Mobile Forensics Digital forensics teaches you: How computer works How data is stored and accessed How to manage large amounts of data efficiently How to think logically How to connect concepts How to write / communicate Knowledge to know What can you do with digital forensics ? What are the digital forensics investigation process The purpose id to extract the information in the way that everyone can trust. Reporter need to understand technologies and how to manage data when they are ruining a story about evidences. How memory stores data How network works. How to manage computers and secure them. How Linux and windows command line works. Digital forensics https://www.exterro.com/basics-of-digital-forensics “Digital forensics is the process through which skilled investigators identify, preserve, analyze, document, and present material found on digital or electronic devices, such as computers and smartphones.” “Originally the term primarily applied to criminal investigations, focusing on the use of digital evidence in the prosecution of a crime, but it has expanded to include many other types of investigations in recent years.” “The goal of a digital forensics investigation is to preserve the evidence as it exists while also uncovering information that helps the investigator reconstruct past events and understand not just how, but also why, they occurred the way they did.” What is a Digital Forensic Toolkit? https://www.exterro.com/basics-of-digital-forensics Preserve data Identify data Extract, copy, or image data Analyze data Document or present data to laypersons Digital multimedia are easily tampered for malicious purposes. Copy-move forgery is an easy task with digital world. References Basics of Digital Forensics - Digital Forensics Solutions | Exterro https://www.exterro.com/basics-of-digital- forensics Day2 Cybersecurity and cybercrime Introduction Cyber security is the practice of protecting networks, applications, sensitive data, and users from cyber attacks, damage or unauthorized access. Cyber attacks are malicious attempts by individuals or groups to gain unauthorized access to computer systems, networks, and devices to steal information, disrupt operations, or launch larger attacks. Common types of cyber attacks include, but are not limited to, phishing, malware (including ransomware), social engineering attacks, and denial-of-service (DoS) and distributed denial-of-service DDoS attacks. Cyber security Cyber security is trying to protect the information that need to be protected. Difficult to manage Balance between openness and level of risk. CIA triangle confidentiality, Integrity, availability. What is Cybercrime? Cybercrime conducted via the internet or via computer network. use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child exploitation and intellectual property, stealing identities, or violating privacy. Cybercrime, especially through the Internet, has grown in importance as the computer has become central to commerce, entertainment, and government. Focus on connections between systems, these connections very often global connection. Ex, Facebook. Cybercrime Cybercrime use computer as a tool or victim. Refrences https://www.cloudflare.com/learning/security/wha t-is-cyber-security/ https://www.britannica.com/topic/cybercrime Data storage Data Representation Digital data are combinations of binary digits (0 or 1). Lower level of data storage is at the physical layer. Hard Disk Drive (HDD). Solid State Drive (SSD). Physical disk Image. Copies data directly from the storage device (bit by bit copy). kilobytes, megabytes, and gigabtyes Logical layer Division of physical storage space into logical sections Partitions / volumes / Slices Allow splitting the disk into usable sections – maybe for different purposes. A logical disk image copies only what is in the partition Basically, only currently accessible files Usually, smaller size, but may not be able to recover deleted files. FAT limitations Logical image of the hard disk Root directory References https://drive.google.com/drive/folders/1erYHjP5ZlEZnQ9_qHH7cK FToa-i1hsRA Module 01 Computer Forensics Fundamentals Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives Creative idea Understanding the Fundamentals of Computer 1 Forensics 2 Understanding Different Types of Cybercrimes 3 Overview of Indicators of Compromise (IoCs) Overview of Different Types of Digital Evidence and Rules 4 of Evidence Understanding Forensic Readiness Planning and Business 5 Continuity Understanding the Roles and Responsibilities of a Forensic 6 Investigator 7 Understanding the Legal Compliance in Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator Computer Forensics 1 Evidence Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Understanding Computer Forensics Computer forensics refer to a set of methodological procedures and techniques that help identify, gather, preserve, extract, interpret, document, and present evidence from computing equipment, such that any discovered evidence is acceptable during a legal and/or administrative proceeding Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Objectives of Computer Forensics Estimate the potential impact Identify, gather, and Gather evidence of cyber of malicious activity on the preserve the evidence crimes in a forensically victim and assess the intent of a cybercrime sound manner of the perpetrator Minimize the tangible Protect the organization Support the prosecution of and intangible losses to from similar incidents in the perpetrator of an the organization the future incident Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Need for Computer Forensics 01 03 To ensure the overall integrity and To efficiently track down continued existence of IT systems perpetrators from different and network infrastructure within parts of the world the organizations 04 02 To protect the organization’s To extract, process, and interpret financial resources and the factual evidence such that it valuable time proves the attacker’s actions in court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. When Do You Use Computer Forensics? Prepare for incidents by securing and strengthening the defense mechanism as well as closing the loopholes in security Identify the actions needed for incident response Act against copyright and intellectual property theft/misuse Estimate and minimize the damage to resources in a corporate setup Set a security parameter and formulate security norms for ensuring forensic readiness Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Cybercrimes Cybercrime is defined as any illegal act involving a computing device, network, its systems, or its applications Cybercrime can be categorized into two types based on the line of attack Internal/Insider Attack External Attack ❑ It is an attack performed on a corporate ❑ This type of attack occurs when an network or on a single computer by an attacker from outside the organization entrusted person (insider) who has tries to gain unauthorized access to its authorized access to the network computing systems or informational assets ❑ Such insiders can be former or current employees, business partners, or ❑ These attackers exploit security contractors loopholes or use social engineering techniques to infiltrate the network Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Examples of Cybercrimes 1 Espionage 7 Phishing/Spoofing 2 Intellectual Property Theft 8 Privilege Escalation Attacks 3 Data Manipulation 9 Denial of Service Attack 4 Trojan Horse Attack 10 Cyber Defamation 5 Structured Query Language Attack 11 Cyberterrorism 6 Brute-force Attack 12 Cyberwarfare Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Impact of Cybercrimes at the Organizational Loss of confidentiality, integrity and availability of information Level 01 stored in organizational systems 02 Theft of sensitive data 03 Sudden disruption of business activities 04 Loss of customer and stakeholder trust 05 Substantial reputational damage 06 Huge financial losses 07 Penalties arising from the failure to comply with regulations Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator Computer Forensics 1 Evidence Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Introduction to Digital Evidence Digital evidence is defined as “any information of probative value that is either stored or transmitted in a digital form” Digital evidence is circumstantial and fragile in nature, which makes it difficult for a forensic investigator to trace criminal activities According to Locard's Exchange Principle, “anyone or anything, entering a crime scene takes something of the scene with them, and leaves something of themselves behind when they leave” Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Types of Digital Evidence Volatile Data Non-volatile Data ❑ Data that are lost as soon as the ❑ Permanent data stored on device is powered off; examples secondary storage devices such include system time, logged-on as hard disks and memory cards; user(s), open files, network examples include hidden files, information, process information, slack space, swap file, index.dat process-to-port mapping, process files, unallocated clusters, memory, clipboard contents, unused partitions, hidden service/driver information, partitions, registry settings, command history, etc. event logs, etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Roles of Digital Evidence ❑ Examples of cases where digital evidence may assist the forensic investigator in the prosecution or defense of a suspect: 01 02 03 04 05 Identity theft Malicious attacks on Information Unauthorized Theft of commercial the computer systems leakage transmission of secrets themselves information 06 07 08 09 10 Use/abuse of the Production of Unauthorized Abuse of systems Email communication Internet false documents encryption/ password between suspects/ and accounts protection of conspirators documents Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence Computer-Created User-Created Files User-Protected Files Files ▪ Address books ▪ Compressed files ▪ Backup files ▪ Database files ▪ Log files ▪ Misnamed files ▪ Media (images, graphics, ▪ Configuration files audio, video, etc.) files ▪ Encrypted files ▪ Printer spool files ▪ Documents (text, ▪ Password-protected files ▪ Cookies spreadsheet, presentation, etc.) files ▪ Hidden files ▪ Swap files ▪ Internet bookmarks, ▪ System files favorites, etc. ▪ Steganography ▪ History files ▪ Temporary files Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Hard Drive Text, picture, video, multimedia, database, and computer program files Thumb Drive Text, graphics, image, and picture files Memory Card Event logs, chat logs, text files, image files, picture files, and internet browsing history Smart Card Evidence is found by recognizing or authenticating the information of the card and the user, Dongle through the level of access, configurations, permissions, and in the device itself Biometric Scanner Voice recordings such as deleted messages, last called number, memo, phone numbers, Answering Machine and tapes Digital Camera/Surveillance Images, removable cartridges, video, sound, time and date stamp, etc. cameras Random Access Memory Evidence is located and can be acquired from the main memory of the computer (RAM) and Volatile storage Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Address book, appointment calendars or information, documents, email, Handheld Devices handwriting, password, phone book, text messages, and voice messages Local Area Network (LAN) Card/ Network MAC (Media Access Control) address Interface Card (NIC) For routers, evidence is found in the configuration files Routers, Modem, Hubs, and Switches For hubs, switches, and modems evidence is found on the devices themselves Network Cables and On the devices themselves Connectors Server Computer system Evidence is found through usage logs, time and date information, and Printer network identity information, ink cartridges, and time and date stamp Internet of Things and Evidence can be acquired in the form of GPS, audio and video recordings, wearables cloud storage sensors, etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Sources of Potential Evidence (Cont’d) Device Location of Potential Evidence Removable Storage device and media such as tape, CD, DVD, and Blu-ray contain the evidence Storage in the devices themselves Device and Media Scanner Evidence is found by looking at the marks on the glass of the scanner Evidence is found through names, phone numbers, caller identification Telephones information, appointment information, electronic mail and pages, etc. Copiers Documents, user usage logs, time and date stamps, etc. Credit Card Evidence is found through card expiration date, user’s address, credit card Skimmers numbers, user’s name, etc. Evidence is found through address book, notes, appointment calendars, phone Digital Watches numbers, email, etc. Facsimile (Fax) Evidence is found through documents, phone numbers, film cartridge, send or Machines receive logs Global Positioning Evidence is found through previous destinations, way points, routes, travel logs, Systems (GPS) etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Rules of Evidence ❑ Digital evidence collection must be governed by five basic rules that make it admissible in a court of law: Understandable 1 Evidence must be clear and understandable to the judges Admissible 2 Evidence must be related to the fact being proved Authentic 3 Evidence must be real and appropriately related to the incident Reliable 4 There must be no doubt about the authenticity or veracity of the evidence Complete 5 The evidence must prove the attacker’s actions or his/her innocence Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Best Evidence Rule It states that the court only allows the original evidence of a document, photograph, or recording at the trial rather than a copy. However, the duplicate can be accepted as evidence, provided the court finds the party’s reasons for submitting the duplicate to be genuine. The principle underlying the best evidence rule is that the original evidence is considered as the best evidence Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Federal Rules of Evidence (United States) These rules shall be construed to secure fairness in administration, elimination of unjustifiable expense and delay, and promotion of growth and development of the law of evidence to the end that the truth may be ascertained and proceedings justly determined https://www.rulesofevidence.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Scientific Working Group on Digital Evidence (SWGDE) Principle 1 Standards and Criteria 1.1 ▪ In order to ensure that the digital evidence is ▪ All agencies that seize and/or examine digital collected, preserved, examined, or transferred evidence must maintain an appropriate SOP in a manner safeguarding the accuracy and document. All elements of an agency's policies reliability of the evidence, law enforcement and procedures concerning digital evidence and forensic organizations must establish and must be clearly set forth in this SOP document, maintain an effective quality system which must be issued under the agency's management authority. Standards and Criteria 1.2 Standards and Criteria 1.3 ▪ Agency management must review the SOPs on an ▪ Procedures used must be generally accepted in annual basis to ensure their continued suitability the field or supported by data gathered and and effectiveness recorded in a scientific manner https://www.swgde.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Scientific Working Group on Digital Evidence (SWGDE) (Cont’d) Standards and Criteria 1.4 1 The agency must maintain written copies of appropriate technical procedures Standards and Criteria 1.5 2 The agency must use hardware and software that are appropriate and effective for the seizure or examination procedure Standards and Criteria 1.6 3 All activity relating to the seizure, storage, examination, or transfer of the digital evidence must be recorded in writing and be available for review and testimony Standards and Criteria 1.7 4 Any action that has the potential to alter, damage, or destroy any aspect of the original evidence must be performed by qualified persons in a forensically sound manner https://www.swgde.org Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. The Association of Chief Police Officers (ACPO) Principles of Digital Evidence Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to explain his/her actions and the impact of those actions on the evidence, in the court Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result. Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to https://www.college.police.uk Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator Computer Forensics 1 Evidence Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensic Readiness ` ❑ Forensic readiness refers to an organization’s ability to optimally use digital evidence in a limited period of time and with minimal investigation costs Benefits: ▪ Fast and efficient investigation with minimal disruption to the business ▪ Provides security from cybercrimes such as intellectual property theft, fraud, or extortion Forensic ▪ Offers structured storage of evidence that reduces the cost and time of an investigation ▪ Improves law enforcement interface ▪ Helps the organization use the digital evidence in its own defense Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensic Readiness and Business Continuity ❑ Forensic readiness helps maintain business continuity by allowing quick and easy identification of the impacted components and replacing them to continue the services and business Forensic readiness allows businesses to: Lack of forensic readiness may result in: ❑ Quickly determine the incidents ❑ Loss of clients due to damage to the organization’s reputation ❑ Collect legally sound evidence and analyze it to identify attackers ❑ System downtime ❑ Minimize the required resources ❑ Data manipulation, deletion, and theft ❑ Quickly recover from damage with less downtime ❑ Inability to collect legally sound evidence ❑ Gather evidence to claim insurance ❑ Legally prosecute the perpetrators and claim damages Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensics Readiness Planning ❑ Forensic readiness planning refers to a set of processes to be followed to achieve and maintain forensics readiness Identify the potential evidence Identify if the incident requires full 1 required for an incident 5 or formal investigation Create a process for documenting 2 Determine the sources of evidence 6 the procedure Define a policy that determines the Establish a legal advisory board to 3 pathway to legally extract electronic 7 guide the investigation process evidence with minimal disruption Establish a policy to handle and store Keep an incident response team ready 4 the acquired evidence in a secure 8 to review the incident and preserve manner the evidence Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator Computer Forensics 1 Evidence Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Need for a Forensic Investigator Cybercrime Sound Evidence Incident Handling Investigation Handling and Response Forensic investigators, by virtue If a technically inexperienced Forensic investigators help of their skills and experience, person examines the evidence, it organizations maintain forensics help organizations and law might become inadmissible in a readiness and implement enforcement agencies court of law effective incident handling and investigate and prosecute the response perpetrators of cybercrimes Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Roles and Responsibilities of a Forensics Investigator A forensic investigator performs the following tasks: Determines the extent of any Analyzes the evidence data found damage done during the crime Recovers data of investigative value from computing devices Prepares the analysis report involved in crimes Updates the organization about Creates an image of the original various attack methods and data evidence without tampering with recovery techniques, and maintains it to maintain its integrity a record of them Addresses the issue in a court of law Guides the officials carrying out and attempts to win the case by the investigation testifying in court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. What Makes a Good Computer Forensics Investigator? Interviewing skills to gather extensive information about the case from the client or victim, witnesses, and suspects Excellent writing skills to detail findings in the report Strong analytical skills to find the evidence and link it to the suspect Excellent communication skills to explain their findings to the audience Remains updated about new methodologies and forensic technology Well-versed in more than one computer platform (including Windows, Macintosh, and Linux) Knowledge of various technologies, hardware, and software Develops and maintains contact with computing, networking, and investigating professionals Has knowledge of the laws relevant to the case Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow 3 Understand Forensic 4 5 2 Readiness Identify the Roles and Understand Legal Responsibilities of a Compliance in Understand Digital Forensic Investigator Computer Forensics 1 Evidence Understand the Fundamentals of Computer Forensics Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Computer Forensics and Legal Compliance ❑ Legal compliance in computer Electronic Communications 01 Gramm-Leach-Bliley Act (GLBA) 05 Privacy Act forensics ensures that any evidence that is collected and analyzed is admissible in a court Federal Information Security General Data Protection of law 02 Modernization Act of 2014 06 Regulation (GDPR) (FISMA) ❑ Compliance with certain Health Insurance Portability regulations and standards plays an important part in computer 03 and Accountability Act of 07 Data Protection Act 2018 1996 (HIPAA) forensic investigation and analysis, some of which are as Payment Card Industry Data Sarbanes-Oxley Act (SOX) follows: 04 08 Security Standard (PCI DSS) of 2002 Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Other Laws Relevant to Computer Forensics United States Foreign Intelligence Surveillance Act https://www.fas.org Protect America Act of 2007 https://www.congress.gov Privacy Act of 1974 https://www.justice.gov National Information Infrastructure Protection Act of 1996 https://www.congress.gov Computer Security Act of 1987 https://www.congress.gov Freedom of Information Act (FOIA) https://www.foia.gov United Kingdom Regulation of Investigatory Powers Act 2000 https://www.legislation.gov.au Cybercrime Act 2001 https://www.legislation.gov.au Australia Information Privacy Act 2014 https://www.findandconnect.gov.au India Information Technology Act http://www.dot.gov.in Section 202a. Data Espionage, Section 303a. Alteration of Data, Section 303b. Computer Germany http://www.cybercrimelaw.net Sabotage Italy Penal Code Article 615 ter http://www.cybercrimelaw.net Canada Canadian Criminal Code Section 342.1 https://laws-lois.justice.gc.ca Singapore Computer Misuse Act https://sso.agc.gov.sg Belgium Computer Hacking http://www.cybercrimelaw.net Brazil Unauthorized modification or alteration of the information system https://www.domstol.no Philippines Data Privacy Act of 2012 https://www.privacy.gov.ph Hong Kong Cap. 486 Personal Data (Privacy) Ordinance https://www.pcpd.org.hk Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Summary This module has discussed the fundamentals of computer 1 forensics It has covered various types of digital evidence and rules of 2 evidence It also discussed in detail on various laws and rules to be 3 considered during digital evidence collection This module also discussed the forensic readiness planning 4 and business continuity It has also discussed the roles and responsibilities of 5 a forensic investigator Finally, this module ended with a detailed discussion on 6 legal compliance in computer forensics In the next module, we will discuss in detail on computer 7 forensics investigation process Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module 02 Computer Forensics Investigation Process Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives Understanding the Forensic Investigation 1 Process and its Importance 2 Understanding the Pre-investigation Phase 3 Understanding the Investigation Phase 4 Understanding the Post-investigation Phase Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Forensic Investigation Forensic Investigation Process - Pre-investigation 02 03 Process - Investigation Phase Phase Understand the Forensic Forensic Investigation Investigation Process and 01 04 Process - Post-investigation its Importance Phase Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensic Investigation Process A methodological approach to investigate, seize, and analyze digital evidence and then manage the case from the time of search and seizure to reporting the investigation result Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Importance of the Forensic Investigation Process As digital evidence is fragile in nature, following strict guidelines and thorough forensic investigation process that ensures the integrity of evidence is critical to prove a case in the court of law The forensics investigation process to be followed should comply with local laws and established precedents. Any breach/deviation may jeopardize the complete investigation. The investigators must follow a repeatable and well- documented set of steps such that every iteration of analysis provides the same findings; else, the findings of the investigation can be invalidated during the cross examination in a court of law Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Phases Involved in the Forensics Investigation Process Pre-investigation Investigation Post-investigation Phase Phase Phase ❑ Deals with tasks to be ❑ The main phase of the ❑ Includes documentation of all performed prior to the computer forensics actions undertaken and all commencement of the actual investigation process findings uncovered during the investigation investigation ❑ Involves setting up a computer ❑ Involves acquisition, forensics lab, building a preservation, and analysis of ❑ Ensures that the report is easily forensics workstation, evidentiary data to identify the explicable to the target developing an investigation source of the crime and the audience and that it provides toolkit, setting up an culprit behind it adequate and acceptable investigation team, getting evidence approval from the relevant authority, etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Forensic Investigation Forensic Investigation Process - Pre-investigation 02 03 Process - Investigation Phase Phase Understand the Forensic Forensic Investigation Investigation Process and 01 04 Process - Post-investigation its Importance Phase Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Setting Up a Computer Forensics Lab A Computer Forensics Lab (CFL) is a location that houses instruments, software and hardware tools, and forensic workstations required for conducting a computer-based investigation with regard to the collected evidence 1 2 3 Planning & budgeting Physical & Structural design Work area considerations considerations considerations ✓ Number of expected cases ✓ Lab size ✓ Workstation requirement ✓ Type of investigation ✓ Access to essential services ✓ Ambience ✓ Manpower ✓ Space estimation for work area and ✓ Internet, network and communication line ✓ Equipment and software requirement evidence storage ✓ Lighting systems and emergency power ✓ Heating, ventilation, and air-conditioning 4 5 6 Physical security considerations Human resource considerations Forensic lab licensing ✓ Electronic sign-in ✓ Number of required personnel ✓ ASCLD/LAB accreditation ✓ Intrusion alarm systems ✓ Training and certification ✓ ISO/IEC 17025 accreditation ✓ Fire suppression systems Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Building the Investigation Team ❑ Keep the team small to protect the confidentiality of the investigation and to guard against information leaks ❑ Identify team members and assign them responsibilities ❑ Ensure that every team member has the necessary clearance and authorization to conduct assigned tasks ❑ Assign one team member as the technical lead for the investigation People Involved in an Investigation Team Photographer Photographs the crime scene and the evidence gathered Incident Responder Responsible for the measures to be taken when an incident occurs Incident Analyzer Analyzes the incidents based on their occurrence Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence Evidence Documenter Documents all the evidence and the phases present in the investigation process Evidence Manager Manages the evidence in such a way that it is admissible in the court of law Evidence Witness Offers a formal opinion in the form of a testimony in the court of law Attorney Provides legal advice Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Understanding the Hardware and Software Requirements of a Forensic Lab ❑ A digital forensic lab should have all the necessary hardware and software tools to support the investigation process, starting from searching and seizing the evidence to reporting the outcome of the analysis Hardware Software Two or more forensic workstations with good OSes processing power and RAM Data discovery tools Specialized cables Password-cracking tools Write-blockers and drive duplicators Acquisition tools Archive and Restore devices Data analyzers Media sterilization systems Data recovery tools Other equipment that allow forensic software File viewers (Image and graphics) tools to work File type conversion tools Computer Forensic hardware toolkit, such as Paraben's First Responder Bundle, DeepSpar Security and Utilities software Disk Imager, FRED forensic workstation etc. Computer forensic software tools such as Wireshark, Access Data’s FTK etc. Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Forensic Investigation Forensic Investigation Process - Pre-investigation 02 03 Process - Investigation Phase Phase Understand the Forensic Forensic Investigation Investigation Process and 01 04 Process - Post-investigation its Importance Phase Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Computer Forensics Investigation Methodology 1 2 3 Documenting the Search Evidence Electronic Crime Scene and Seizure Preservation 6 5 4 Case Analysis Data Analysis Data Acquisition 7 8 Testifying as an Reporting Expert Witness Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Documenting the Electronic Crime Scene ❑ Documentation of the electronic crime scene is necessary to maintain a record of all the forensic investigation processes performed to identify, extract, analyze, and preserve the evidence Points to remember when documenting the crime scene ▪ Document the physical crime scene, noting the position of the system and other equipment, if any ▪ Document details of any related or difficult-to-find electronic components ▪ Record the state of computer systems, digital storage media, and electronic devices, including their power status Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Search and Seizure ❑ Planning the search and seizure ✓ Seeking consent ✓ Obtaining witness signatures ✓ Obtaining warrant for search and seizure ❑ Securing and evaluating ✓ Collecting incident information the crime scene ❑ Initial search of the ❑ Seizing evidence at crime scene scene ✓ Dealing with powered-on computers ✓ Dealing with powered-off computers ✓ Dealing with networked computers ✓ Operating System shutdown procedure ✓ Dealing with mobiles and other handheld devices Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Planning the Search and Seizure A search and seizure plan should contain the following details: Description of the incident Creating a chain of custody document Case name or title of the incident Details of equipment to be seized Location of the incident Search and seizure type (overt/covert) Applicable jurisdiction and relevant legislation Approval from local management Determining the extent of authority to search Health and safety precautions Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Evidence Preservation Evidence preservation refers to the proper handling and 1 documentation of evidence to ensure that it is free from any contamination Any physical and/or digital evidence seized should be 2 isolated, secured, transported and preserved to protect its true state At the time of evidence transfer, both the sender and the 3 receiver need to provide information about the date and time of transfer in the chain of custody record The procedures used to protect the evidence and document 4 it while collecting and shipping are as follows: ▪ The logbook of the project ▪ A tag to uniquely identify any evidence ▪ A chain of custody record Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Data Acquisition Forensic data acquisition is a process of imaging or collecting information from various media in accordance with certain standards for analyzing its forensic value Investigators can then forensically process and examine the collected data to extract information relevant to any particular case or incident while protecting the integrity of the data It is one of the most critical steps of digital forensics as improper acquisition may alter data in evidence media, and render it inadmissible in the court of law Investigators should be able to verify the accuracy of acquired data, and the complete process should be auditable and acceptable to the court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Data Analysis ❑ This phase includes the following: ▪ Analysis of the file’s content, date ❑ Data analysis techniques depend and time of file creation and on the scope of the case or the modification, users associated with file creation, access and file client’s requirements ❑ Data analysis refers to the process modification, and physical storage of examining, identifying, location of the file separating, converting, and ▪ Timeline generation modeling data to isolate useful ▪ Identification of the root cause of information the incident Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Case Analysis Investigators can relate the evidential data to the case details for understanding how the complete incident took place and determining the future actions such as the following: Determine the possibility of exploring Gather additional information Consider the relevance of other investigative procedures to gather related to the case (e.g., aliases, components that are out of the additional evidence (e.g., checking host email accounts, ISP used, names, scope of investigation; for data and examining network service logs network configuration, system example, equipment such as for any information of evidentiary value, logs, and passwords) by laminators, check paper, collecting case-specific evidence from interviewing the respective scanners, and printers in case of social media, identifying remote storage individuals any fraud; or digital cameras in locations etc.) case of child pornography Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Forensic Investigation Forensic Investigation Process - Pre-investigation 02 03 Process - Investigation Phase Phase Understand the Forensic Forensic Investigation Investigation Process and 01 04 Process - Post-investigation its Importance Phase Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Gathering and Organizing Information ❑ Documentation in each phase should be identified to Identification decide whether it is appropriate to the investigation and should be organized in specific categories Procedures Following are the procedures for gathering and organizing the required documentation: ▪ Gather all notes from different phases of the investigation process ▪ Identify the facts to be included in the report for supporting the conclusions ▪ List all the evidence to submit with the report ▪ List the conclusions that need to be in the report ▪ Organize and classify the information gathered to create a concise and accurate report Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Writing the Investigation Report Report writing is a crucial stage in the outcome of the investigation The report should be clear, concise, and written for the appropriate audience Important aspects of a good report: ✓ It should accurately define the details of an incident ✓ It should convey all necessary information in a concise manner ✓ It should be technically sound and understandable to the target audience ✓ It should be structured in a logical manner so that information can be easily located ✓ It should be able to withstand legal inspection ✓ It should adhere to local laws to be admissible in court Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensics Investigation Report Template A forensics investigation report template contains the following: ❑ Executive summary ✓ Case number ✓ Names and Social Security Numbers of authors, investigators, and examiners ✓ Purpose of investigation ✓ Significant findings ✓ Signature analysis ❑ Investigation objectives ❑ Details of the incident ✓ Date and time the incident allegedly occurred ✓ Date and time the incident was reported to the agency’s personnel ✓ Details of the person or persons reporting the incident ❑ Investigation process ✓ Date and time the investigation was assigned ✓ Allotted investigators ✓ Nature of the claim and information provided to the investigators Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Forensics Investigation Report Template (Cont’d) ❑ Evidence information ❑ Relevant findings ✓ Location of the evidence ❑ Supporting Files ✓ List of the collected evidence ✓ Attachments and appendices ✓ Tools involved in collecting the evidence ✓ Full path of the important files ✓ Preservation of the evidence ✓ Expert reviews and opinion ❑ Evaluation and analysis Process ❑ Other supporting details ✓ Initial evaluation of the evidence ✓ Attacker’s methodology ✓ Investigative techniques ✓ User’s applications and Internet ✓ Analysis of the computer evidence activity (Tools involved) ✓ Recommendations Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Testifying as an Expert Witness Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and sometimes complex technology Familiarize the expert witness with the usual procedures that are followed during a trial Things that take place The attorney introduces the expert witness in the court room The opposing counsel may try to discredit the expert witness The attorney leads the expert witness through the evidence Later, it is followed by the opposing counsel’s cross-examination Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Summary This module has discussed the forensic investigation process and its importance It has covered various activities involved in the pre-investigation phase It also discussed in detail on activities performed in the investigation phase Finally, this module ended with a detailed discussion on the post-investigation phase activities In the next module, we will discuss in detail on understanding hard disks and file systems Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module 03 Understanding Hard Disks and File Systems Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Objectives 1 Understanding Different Types of Storage Drives and their Characteristics 2 Understanding the Logical Structure of a Disk 3 Understanding the Booting Process of Windows, Linux, and Mac Operating Systems 4 Overview of various File Systems of Windows, Linux, and Mac Operating Systems 5 Analyzing File Systems using Autopsy and The Sleuth Kit Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Module Flow Describe Different Types of Disk Drives and their Characteristics Explain the Logical Structure of a Disk Understand Booting Process of Windows, Linux, and Mac Operating Systems Understand Various File Systems of Windows, Linux, and Mac Examine the File Operating Systems System Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. ❑ HDD is a non-volatile digital data storage device that records Understanding data magnetically on a metallic platter Hard Disk ❑ The read/write performance of an HDD is directly proportional Drive to the RPM (revolutions per minute) of the drive platter Slider (and Head) Actuator Actuator Axis Actuator Arm Platters Tracks Spindle

Computer Foundations (12 files merged).pdf

Document Details

Tags

Related

Full Transcript

Upgrade to continue