Computer Forensics -Introduction and the details

CADX 105 COMPUTER FORENSICS AND INVESTIGATION Module I

Overview of digital forensics Digital forensics is a branch of forensic science that focuses on identifying, acquiring, processing, analysing , and reporting on data stored electronically. Electronic evidence is a component of almost all criminal activities and digital forensics support is crucial for law enforcement investigations. Electronic evidence can be collected from a wide array of sources, such as computers, smartphones, remote storage, unmanned aerial systems, shipborne equipment, and more. The main goal of digital forensics is to extract data from the electronic evidence, process it into actionable intelligence and present the findings for prosecution. All processes utilize sound forensic techniques to ensure the findings are admissible in court.

Forensics investigators often work as part of a team to secure an organization’s computers and networks. The digital investigation function can be viewed as part of a triad that makes up computing security. Rapid progress in technology has resulted in an expansion of the skills needed and varies depending on the organization using practitioners in this field. Investigations triad are made up of these functions Vulnerability/threat assessment and risk management Network intrusion detection and incident response Digital investigations

When you work in the vulnerability/threat assessment and risk management group, you test and verify the integrity of stand-alone workstations and network servers. This integrity check covers the physical security of systems and the security of operating systems (OSs) and applications. People working in this group (often known as penetration testers) test for vulnerabilities of OSs and applications used in the network and conduct authorized attacks on the network to assess vulnerabilities. Typically, people performing this task have several years of experience in system administration. Their job is to poke holes in the network to help an organization be better prepared for a real attack.

Professionals in the vulnerability assessment and risk management group also need skills in network intrusion detection and incident response . This group detects intruder attacks by using automated tools and monitoring network firewall logs. When an external attack is detected, the response team tracks, locates, and identifies the intrusion method and denies further access to the network. If an intruder launches an attack that causes damage or potential damage, this team collects the necessary evidence, which can be used for civil or criminal litigation against the intruder and to prevent future intrusions. If an internal user is engaged in illegal acts or policy violations, the network intrusion detection and incident response group might assist in locating the user. For example, someone at a community college sends e-mails containing a worm to other users on the network. The network team realizes the e-mails are coming from a node on the internal network, and the security team focuses on that node.

The digital investigations group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime. For complex casework, this group draws on resources from personnel in vulnerability assessment, risk management, and network intrusion detection and incident response. However, the digital investigations group typically resolves or terminates case investigations.

Digital Investigations Digital investigations can be categorized several ways. For the purposes of this discussion, however, they fall into two categories: public-sector investigations and private-sector investigations

P ublic-sector investigations In general, public-sector investigations involve government agencies responsible for criminal investigations and prosecution. Government agencies range from municipal, county, and state or provincial police departments to federal law enforcement agencies. These organizations must observe legal guidelines of their jurisdictions, such as Article 8 in the Charter of Rights of Canada and the Fourth Amendment to the U.S. Constitution restricting government search and seizure. The law of search and seizure in the United States protects the rights of people, including people suspected of crimes; as a digital forensics examiner, you must follow these laws. The Department of Justice (DOJ) updates information on computer search and seizure regularly.

Private-sector investigations Private-sector investigations focus more on policy violations, such as not adhering to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. However, criminal acts, such as corporate espionage, can also occur. So although private-sector investigations often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case. If you follow good forensics procedures, the evidence found in your examinations can make the transition between civil and criminal cases.

Maintaining Professional Conduct As a professional, you must exhibit the highest level of professional behavior at all times. To do so, you must maintain objectivity and confidentiality during an investigation, expand your technical knowledge constantly, and conduct yourself with integrity. Maintaining objectivity means you form opinions based on your education, training, experience, and the evidence in your cases. Avoid making conclusions about your findings until you have exhausted all reasonable leads and considered the available facts. Your ultimate responsibility is to find relevant digital evidence. You must avoid prejudice or bias to maintain the integrity of your fact-finding in all investigations. For example, if you’re employed by an attorney, don’t allow the attorney’s agenda to dictate the outcome of your investigation. Your reputation depends on maintaining your objectivity.

Private-Sector High-Tech Investigations As an investigator, you need to develop formal procedures and informal checklists to cover all issues important to high-tech investigations. These procedures are necessary to ensure that correct techniques are used in an investigation. Use informal checklists to be certain that all evidence is collected and processed correctly. This section lists some sample procedures that digital investigators commonly use in private-sector high-tech investigations. Employee Termination Cases Most investigative work for termination cases involves employee abuse of company resources. Incidents that create a hostile work environment, such as viewing pornography in the workplace and sending inappropriate e-mails, are the predominant types of cases investigated. The following sections describe key points for conducting an investigation that might lead to an employee’s termination. Consulting with your organization’s general counsel and Human Resources Department for specific directions on how to handle these investigations is recommended.

Internet Abuse Investigations The information in this section applies to an organization’s internal private network, not a public ISP. Consult with your organization’s general counsel after reviewing this list, and make changes according to their directions to build your own procedures. To conduct an investigation involving Internet abuse, you need the following: The organization’s Internet proxy server logs Suspect computer’s IP address obtained from your organization’s network administrator Suspect computer’s disk drive Your preferred digital forensics analysis tool

E-mail Abuse Investigations E-mail investigations typically include spam, inappropriate and offensive message content, and harassment or threats. E-mail is subject to the same restrictions as other computer evidence data, in that an organization must have a defined policy, as described previously. The following list is what you need for an investigation involving e-mail abuse: An electronic copy of the offending e-mail that contains message header data; consult with your e-mail server administrator If available, e-mail server log records; consult with your e-mail server administrator to see whether they are available For e-mail systems that store users’ messages on a central server, access to the server; consult with your e-mail server administrator For e-mail systems that store users’ messages on a computer as an Outlook . pst or . ost file , for example, access to the computer so that you can perform a forensic analysis on it Your preferred digital forensics analysis tool

Attorney-Client Privilege Investigations When conducting a digital forensics analysis under attorney-client privilege (ACP) rules for an attorney, you must keep all findings confidential. The attorney you’re working for is the ultimate authority over the investigation. For investigations of this nature, attorneys typically request that you extract all data from drives. It’s your responsibility to comply with the attorney’s directions. Because of the large quantities of data a drive can contain, the attorney will want to know about everything of interest on the drives. Many attorneys like to have printouts of the data you have recovered, but printouts can pose problems when you have log files with several thousand pages of data or CAD drawing programs that can be read only by proprietary programs. You need to persuade and educate many attorneys on how digital evidence can be viewed electronically. In addition, learn how to teach attorneys and paralegals to sort through files so that you can help them efficiently analyze the huge amount of data a forensic examination produces.

Industrial Espionage Investigations Industrial espionage cases can be time consuming and are subject to scope creep problems (meaning the investigation’s focus widens and becomes more time consuming). Unlike the other private-sector investigations covered in this section, all suspected industrial espionage cases should be treated as criminal investigations. The techniques described here are for private network environments and internal investigations that haven’t yet been reported to law enforcement officials. This list isn’t exhaustive, so use your knowledge to improve on these recommendations: The digital investigator who’s responsible for disk forensic examinations The technology specialist who is knowledgeable about the suspected compromised technical data The network specialist who can perform log analysis and set up network monitors to trap network communication of possible suspects The threat assessment specialist (typically an attorney) who’s familiar with federal and state laws and regulations related to ITAR or EAR and industrial espionage

Interviews and Interrogations in High-Tech Investigations Becoming a skilled interviewer and interrogator can take many years of experience. Typically, a private-sector digital investigator is a technical person acquiring the evidence for an investigation. Many large organizations have full-time security investigators with years of training and experience in criminal and civil investigations and interviewing techniques. Few of these investigators have any computing or network technical skills, so you might be asked to assist in interviewing or interrogating a suspect when you have performed a forensic disk analysis on that suspect’s machine. An interrogation is different from an interview. An interview is usually conducted to collect information from a witness or suspect about specific facts related to an investigation. An interrogation is the process of trying to get a suspect to confess to a specific incident or crime. An investigator might change from an interview to an interrogation when talking to a witness or suspect. The more experience and training investigators have in the art of interviewing and interrogating, the more easily they can determine whether a witness is credible and possibly a suspect. Your role as a digital investigator is to instruct the investigator conducting the interview on what questions to ask and what the answers should be. As you build rapport with the investigator, he or she might ask you to question the suspect. Watching a skilled interrogator is a learning experience in human relations skills. If you’re asked to assist in an interview or interrogation, prepare yourself by answering the following questions: What questions do I need to ask the suspect to get the vital information about the case? Do I know what I’m talking about, or will I have to research the topic or technology related to the investigation? Do I need additional questions to cover other indirect issues related to the investigation?

Data Recovery Workstations and Software In data recovery, typically, the customer or your company just wants the data back. The other key difference is that in data recovery, you usually know what you’re trying to retrieve. In digital forensics, you might have an idea of what you’re searching for, but not necessarily. To conduct your investigation and analysis, you must have a specially configured PC known as a forensic workstation , which is a computer loaded with additional bays and forensics software. Depending on your needs, a forensic workstation can use the following operating systems: MS-DOS 6.22 Windows 95, 98, or Me Windows NT 3.5 or 4.0 Windows 2000, XP, Vista, 7, 8, or 10 Linux Mac OS X and macOS

If you start any operating system while you’re examining a hard disk, the OS alters the evidence disk by writing data to the Recycle Bin and corrupts the quality and integrity of the evidence you’re trying to preserve. With the continued evolution of Microsoft OSs, it’s not always practical to use older MS-DOS platforms, however. Many older digital forensics acquisition tools work in the MS-DOS environment. These tools can operate from an MS-DOS window in Windows 98 or from the command prompt in Windows 2000 and later. Some of their functions are disabled or generate error messages when run in these OSs, however. Newer file system formats, such as NTFS, are accessible—that is, readable—only from Windows NT and later or any Linux OS. You can use one of several write-blockers that enable you to boot to Windows without writing data to the evidence drive.

Setting Up Your Workstation for Digital Forensics With current digital forensics hardware and software, configuring a computer workstation or laptop as a forensic workstation is simple. All that’s required are the following: A workstation running Windows 7 or later A write-blocker device Digital forensics acquisition tool Digital forensics analysis tool A target drive to receive the source or suspect disk data Spare PATA and SATA ports PATA stands for Parallel Advanced Technology Attachment which is a bus interface used for connecting secondary storage devices like hard disks, optical drives. It was first introduced in the year 1986 by Western Digital and Compaq. It was later replaced by SATA. SATA stands for Serial Advanced Technology Attachment is a bus interface that connects hard disks, optical drives. It was introduced in 2001 after PATA was slowly declining its demand by Serial ATA Working Group. SATA has more advantages than PATA making its demand more. USB ports

Additional useful items include the following: Network interface card (NIC) Extra USB ports FireWire 400/800 ports SCSI card Disk editor tool Text editor tool Graphics viewer program Other specialized viewing tools

Conducting an Investigation Start by gathering the resources you identified in your investigation plan. You need the following items: Original storage media Evidence custody form Evidence container for the storage media, such as an evidence bag Bit-stream imaging tool; in this case, FTK Imager Lite Forensic workstation to copy and examine the evidence Secure evidence locker, cabinet, or safe

Gathering the Evidence Arrange to meet the IT manager to interview him and pick up the storage media. After interviewing the IT manager, fill out the evidence form, have him sign it, and then sign it yourself. Store the storage media in an evidence bag, and then transport it to your forensic facility. Carry the evidence to a secure container, such as a locker, cabinet, or safe. Complete the evidence custody form. As mentioned, if you’re using a multi- evidenceform , you can store the form in the file folder for the case. If you’re also using single evidence forms, store them in the secure container with the evidence. Reduce the risk of tampering by limiting access to the forms. Secure the evidence by locking the container.

Understanding Bit-stream Copies A bit-stream copy is a bit-by-bit copy (also known as a “forensic copy”) of the original drive or storage medium and is an exact duplicate. The more exact the copy, the better chance yo u have of retrieving the evidence you need from the disk. This process is usually referred to as “acquiring an image” or “making an image” of a suspect drive. A bit-stream copy is different from a simple backup copy of a disk. Backup software can copy or compress only files that are stored in a folder or are of a known file type. Backup software can’t copy deleted files and emails or recover file fragments. A bit-stream image is the file containing the bit-stream copy of all data on a disk or disk partition. For simplicity, it’s usually referred to as an “image,” “image save,” or “image file.” To create an exact image of an evidence disk, copying the image to a target disk that’s identical to the evidence disk is preferable (Figure 1-11). The target disk’s manufacturer and model, in general, should be the same as the original disk’s manufacturer and model. If the target disk is identical to the original, the size in bytes and sectors of both disks should also be the same. Some image acquisition tools can accommodate a target disk that’s a different size than the original. Older digital forensics tools designed for MS-DOS work only on a copied disk. Current GUI tools can work on both a disk drive and copied data sets that many manufacturers refer to as “image saves.”

Acquiring an Image of Evidence Media After you retrieve and secure the evidence, you’re ready to copy the evidence media and analyze the data. The first rule of digital forensics is to preserve the original evidence. Then conduct your analysis only on a copy of the data—the image of the original medium. Several vendors offer Windows and Linux acquisition tools. These tools, however, require a writeblocking device

Analyzing Your Digital Evidence When you analyze digital evidence, your job is to recover the data. If users have deleted or overwritten files on a disk, the disk contains deleted files and file fragments in addition to existing files. Remember that as files are deleted, the space they occupied becomes free space—meaning it can be used for new files that are saved or files that expand as data is added to them. The files that were deleted are still on the disk until a new file is saved to the same physical location, overwriting the original file. In the meantime, those files can still be retrieved. Forensics tools such as Autopsy can retrieve deleted files for use as evidence

The next step is analyzing the data and searching for information related to the complaint. Data analysis can be the most time-consuming task, even when you know exactly what to look for in the evidence. The method for locating evidentiary artifacts is to search for specific known data values. Data values can be unique words or nonprintable characters, such as hexadecimal codes. There are also printable character codes that can’t be generated from a keyboard, such as the copyright (©) or registered trademark (™) symbols. Many digital forensics programs can search for character strings (letters and numbers) and hexadecimal values, such as 0xA9 for the copyright symbol or 0xAE for the registered trademark symbol. All these searchable data values are referred to as “keywords.”

Completing the Case After analyzing the disk, you can retrieve deleted files, e-mail, and items that have been purposefully hidden, The files on George’s USB drive indicate that he was conducting a side business on his company computer. Now that you have retrieved and analyzed the evidence, you need to find the answers to the following questions to write the final report: How did George’s manager acquire the disk? Did George perform the work on a laptop, which is his own property? If so, did he conduct business transactions on his break or during his lunch hour? At what times of the day was George using the non-work-related files? How did you retrieve this information? Which company policies apply? Are there any other items that need to be considered?

When you write your report, state what you did and what you found. The report you generate with a forensics tool gives an account of the steps you took. As part of your final report, depending on guidance from management or legal counsel, include this report file to document your work. In any digital investigation, you should be able to repeat the steps you took and produce the same results. This capability is referred to as repeatable findings without it, your work product has no value as evidence.

Critiquing the Case After you close the case and make your final report, you need to meet with your department or a group of fellow investigators and critique the case in an effort to improve your work. Ask yourself assessment questions such as the following: How could you improve your performance in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? If so, what are they? Did you use new techniques during the case or during research? Make notes to yourself in your journal about techniques or processes that might need to be changed or addressed in future investigations. Then store your journal in a secure place.

Computer Forensics -Introduction and the details

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Computer Forensics -Introduction and the details

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

Pray For The Peace Of Jerusalem and You Will Prosper

Don_t_Waste_Your_Life_God.....powerpoint

VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf

Fertility awareness methods for women in the society

Chapter 5 Arithmetic Functions Computer Organisation and Architecture

syakira bhasa inggris (1) (1).pptx.......