CSF 3403 - Digital Forensics and Investigation - Chapter 4 - Processing Crime and Incident Scenes PDF
Document Details
Higher Colleges of Technology
Ali Abu Romman
Tags
Summary
This document provides a course outline and learning objectives for a Digital Forensics and Investigation chapter focused on processing crime and incident scenes. Key topics include learning outcomes, delivery outline, objectives, and handling digital evidence.
Full Transcript
CSF 3403 - Digital Forensics and Investigation Chapter 4: Processing Crime and Incident Scenes 1 2 Learning Outcomes CLO1: Demonstrate an understanding of digital...
CSF 3403 - Digital Forensics and Investigation Chapter 4: Processing Crime and Incident Scenes 1 2 Learning Outcomes CLO1: Demonstrate an understanding of digital forensics principles, techniques, and legal considerations essential for the collection and investigation of digital evidence. CLO2: Apply proper techniques and tools to acquire and preserve digital evidence from various sources meeting legal standards. CLO3 :Investigate digital crimes and incidents using digital forensic tools producing detailed forensic reports. CLO4: Apply forensic techniques to assess digital artifacts from diverse sources and in various formats. 3 Delivery Outline W1-2: CH1: Understanding The Digital Forensics Profession and Investigations (CLO 1) CH2: Under standing Forensics Lab Requirements (CLO 1) W3: CH6 - Current Digital Forensics Tools (CLO1) W4: CH4 - Processing Crime and Incident Scenes (CLO1,2) W5-6: CH3 - Data Acquisition (CLO2) W7: CH5 - Working with Windows and CLI Systems (CLO3) As_Exam: 25% W8: CH7 – Linux and Macintosh File Systems (CLO3) W9: CH9 – Digital Forensics Analysis and Validation (CLO4) W10: CH8 - Recovering Graphics Files (CLO4) CH11 - E-mail and Social Media Investigations (CLO4) W11: CH14 - Report Writing for High-Tech Investigations (CLO4) W12: Practical Test: PCQ_ACE Exam 15% W13: CH12 - Mobile Device Forensics and the internet of anything (CLO4) W14: CH13 - Cloud Forensics (CLO4) By: Ali Abu Romman Chapter 4: Processing Crime and Incident Scenes (CLO1,2) By: Ali Abu Romman 5 Objectives Upon completing this chapter, students will be able to: Explain the rules for controlling digital evidence Describe how to collect evidence at private-sector incident scenes Explain guidelines for processing law enforcement crime scenes List the steps in preparing for an evidence search Describe how to secure a computer incident or crime scene Explain guidelines for seizing digital evidence at the scene List procedures for storing digital evidence Explain how to obtain a digital hash Review a case to identify requirements and plan your investigation Section 1 Processing Crime and Incident Scenes: 7 Identifying Digital Evidence General tasks investigators perform when working with digital evidence: Identify digital information or artifacts that can be used as evidence Collect, preserve, and document evidence Analyze, identify, and organize evidence Rebuild evidence or repeat a situation to verify that the results can be reproduced reliably Collecting digital devices while processing a criminal or incident scene must be done systematically 8 Understanding Rules of Evidence Consistent practices help verify your work and enhance your credibility Comply with your country rules of evidence or with the Federal Rules of Evidence Evidence admitted in a criminal case can be used in a civil suit, and vice versa Keep current on the latest rulings and directives on collecting, processing, storing, and admitting digital evidence Digital evidence is unlike other physical evidence because it can be changed more easily 9 Understanding Rules of Evidence Computer records are usually divided into: Computer-generated records Computer-stored records Computer-generated and computer-stored records must be shown to be authentic and trustworthy To be admitted into evidence Computer-generated records are considered authentic if the program that created the output is functioning correctly Usually considered an exception to hearsay rule Collecting evidence according to approved steps of evidence control helps ensure that the computer evidence is authentic 10 Collecting Evidence in Private-Sector Incident Scenes Private-sector organizations include: Small to medium businesses, large corporations, and non-government organizations (NGOs) Non-government organizations (NGO) must comply with state public disclosure and federal Freedom of Information Act (FOIA) laws And make certain documents available as public records A special category of private-sector businesses includes ISPs and other communication companies ISPs can investigate computer abuse committed by their employees, but not by customers Except for activities that are deemed to create an emergency situation Investigating and controlling computer incident scenes in the corporate environment Much easier than in crime scenes Incident scene is often a workplace 11 Collecting Evidence in Private-Sector Incident Scenes Typically, businesses have inventory databases of computer hardware and software Help identify the computer forensics tools needed to analyze a policy violation And the best way to conduct the analysis Corporate policy statement about misuse of digital assets Allows corporate investigators to conduct covert surveillance with little or no cause And access company systems without a warrant Companies should display a warning banner and publish a policy Stating that they reserve the right to inspect computing assets at will If a private-sector investigator finds that an employee is committing or has committed a crime Employer can file a criminal complaint with the police 12 Collecting Evidence in Private-Sector Incident Scenes If you discover evidence of a crime during a company policy investigation Determine whether the incident meets the elements of criminal law Inform management of the incident Stop your investigation to make sure you don’t violate Fourth Amendment restrictions on obtaining evidence Work with the corporate attorney on how to respond to a police request for more information 13 Processing Law Enforcement Crime Scenes You must be familiar with criminal rules of search and seizure You should also understand how a search warrant works and what to do when you process one Law enforcement officer may search for and seize criminal evidence only with probable cause Refers to the standard specifying whether a police officer has the right to make an arrest, conduct a personal or property search, or obtain a warrant for arrest With probable cause, a police officer can obtain a search warrant from a judge That authorizes a search and seizure of specific evidence related to the criminal complaint 14 Understanding Concepts and Terms Used in Warrants Innocent information Unrelated information Often included with the evidence you’re trying to recover Judges often issue a limiting phrase to the warrant Allows the police to separate innocent information from evidence 15 Preparing for a Search Preparing for a computer search and seizure Probably the most important step in digital investigations To perform these tasks You might need to get answers from the victim and an informant Who could be a police detective assigned to the case, a law enforcement witness, or a manager or coworker of the person of interest to the investigation 16 Identifying the Nature of the Case When you’re assigned a digital investigation case Start by identifying the nature of the case Including whether it involves the private or public sector The nature of the case dictates how you proceed And what types of assets or resources you need to use in the investigation 17 Identifying the Type of OS or Digital Device For law enforcement This step might be difficult because the crime scene isn’t controlled If you can identify the OS or device Estimate the size of the drive on the suspect’s computer And how many devices to process at the scene Determine which OSs and hardware are involved 18 Determining Whether You Can Seize Computers and Digital Devices The type of case and location of the evidence Determine whether you can remove digital evidence Law enforcement investigators need a warrant to remove computers from a crime scene And transport them to a lab If removing the computers will irreparably harm a business The computers should not be taken offsite 19 Determining Whether You Can Seize Computers and Digital Devices Additional complications: Files stored offsite that are accessed remotely Availability of cloud storage, which can’t be located physically Stored on drives where data from many other subscribers might be stored If you aren’t allowed to take the computers to your lab Determine the resources you need to acquire digital evidence and which tools can speed data acquisition 20 Getting a Detailed Description of the Location Get as much information as you can about the location of a digital crime Identify potential hazards Interact with your HAZMAT (hazardous materials) team HAZMAT guidelines Put the target drive in a special HAZMAT bag HAZMAT technician can decontaminate the bag Check for high temperatures 21 Determining Who Is in Charge Private-sector computing investigations Usually require only one person to respond to an incident Law enforcement agencies Typically handle large-scale investigations Designate lead investigators in large-scale investigations Anyone assigned to the scene should cooperate with the designated leader to ensure the team addresses all details when collecting evidence 22 Using Additional Technical Expertise Determine whether you need specialized help to process the incident or crime scene You may need to look for specialists in: OSs RAID servers Databases Cloud computing Finding the right person can be a challenge Educate specialists in investigative techniques Prevent evidence damage 23 Determining the Tools You Need Prepare tools using incident and crime scene information Create an initial-response field kit Should be lightweight and easy to transport Create an extensive-response field kit Includes all tools you can afford to take to the field When at the scene, extract only those items you need to acquire evidence 24 Determining the Tools You Need 25 Determining the Tools You Need 26 Preparing the Investigation Team Before initiating the search: Review facts, plans, and objectives with the investigation team you have assembled Goal of scene processing To collect and secure digital evidence Digital evidence is volatile Develop skills to assess facts quickly Slow response can cause digital evidence to be lost Section 2 Securing a Computer Incident or Crime Scene 28 Securing a Computer Incident or Crime Scene Goals Preserve the evidence Keep information confidential Define a secure perimeter Use yellow barrier tape Legal authority for a corporate incident includes trespassing violations For a crime scene, it includes obstructing justice or failing to comply with a police officer 29 Securing a Computer Incident or Crime Scene Professional curiosity can destroy evidence Involves police officers and other professionals who aren’t part of the crime scene processing team( only assigned stuff can do the investigaton) Automated Fingerprint Identification System (AFIS) A computerized system for identifying fingerprints that’s connected to a central database Used to identify criminal suspects and review thousands of fingerprint samples at high speed ( check who have access to it) Police can take elimination prints of everyone who had access to the crime scene 30 Processing an Incident or Crime Scene Guidelines Keep a journal to document your activities Secure the scene Be professional and considerate with onlookers Remove people who are not part of the investigation Take video and still recordings of the area around the computer Pay attention to details Sketch the incident or crime scene Check state of computers as soon as possible (alive or offline) Don’t cut electrical power to a running system unless it’s an older Windows 9x or MS-DOS system Save data from current applications as safely as possible 31 Processing an Incident or Crime Scene Record all active windows or shell sessions Make notes of everything you do when copying data from a live suspect computer Close applications and shut down the computer (after save all data from the memory we can close it ) Bag and tag the evidence, following these steps: Assign one person to collect and log all evidence Tag all evidence you collect with the current date and time, serial numbers or unique features, make and model, and the name of the person who collected it Maintain two separate logs of collected evidence( one on the container and one we put it outside) Maintain constant control of the collected evidence and the crime or incident scene 32 Processing an Incident or Crime Scene Look for information related to the investigation Passwords, passphrases, PINs, bank accounts Collect as much personal information as possible about the suspect or victim Collect documentation and media related to the investigation Hardware, software, backup media, documentation, manuals 33 Other considerations: Processing Data Centers with RAID Systems Sparse acquisition Technique for extracting evidence from large systems Extracts only data related to evidence for your case from allocated files(Narrow down And minimizes how much data you need to analyze. Using a Technical Advisor Documenting Evidence in the Lab Processing and Handling Digital Evidence Maintain the integrity of digital evidence in the lab Storing Digital Evidence The media you use to store digital evidence usually depends on how long you need to keep it 34 Other considerations: Documenting Evidence: Create or use an evidence custody form will help in: Identifies the evidence Identifies who has handled the evidence Lists dates and times the evidence was handled Include any detailed information you might need to reference Obtaining a Digital Hash (do a forensic copy) Cyclic Redundancy Check (CRC) ( weak) it can be hacked Message Digest 5 (MD5) Secure Hash Algorithm version 1 (SHA-1) 35 An example of a Criminal Investigation 36 Summary Digital evidence is anything stored or transmitted on electronic or optical media In the private sector, incident scene is often in a contained and controlled area Companies should publish the right to inspect computer assets policy Private and public sectors follow same computing investigation rules Criminal cases: Require warrants. Protect your safety and health as well as the integrity of the evidence Follow guidelines when processing an incident or crime scene To analyze computer forensics data, learn to use more than one vendor tool You must handle all evidence the same way every time you handle it 37 Delivery Outline W1-2: CH1: Understanding The Digital Forensics Profession and Investigations (CLO 1) CH2: Under standing Forensics Lab Requirements (CLO 1) W3: CH6 - Current Digital Forensics Tools (CLO1) W4: CH4 - Processing Crime and Incident Scenes (CLO1,2) W5-6: CH3 - Data Acquisition (CLO2) W7: CH5 - Working with Windows and CLI Systems (CLO3) As_Exam: 25% W8: CH7 – Linux and Macintosh File Systems (CLO3) W9: CH9 – Digital Forensics Analysis and Validation (CLO4) W10: CH8 - Recovering Graphics Files (CLO4) CH11 - E-mail and Social Media Investigations (CLO4) W11: CH14 - Report Writing for High-Tech Investigations (CLO4) W12: Practical Test: PCQ_ACE Exam 15% W13: CH12 - Mobile Device Forensics and the internet of anything (CLO4) W14: CH13 - Cloud Forensics (CLO4) CIS 2103 800 MyHCT (800 www.hct.ac.ae 69428)
