0% found this document useful (0 votes)

65 views52 pages

Topic01 Understanding DF

Digital forensics involves the analysis of digital evidence for legal purposes using validated tools and procedures. It aims to apply computer science and investigative techniques to legal cases. Digital forensics emerged in the late 20th century with the formation of organizations like the FBI Computer Analysis and Response Team and the Department of Defense Computer Forensics Laboratory. It differs from data recovery, which retrieves accidentally deleted information. Digital forensics professionals conduct public-sector criminal investigations and private-sector policy violation investigations.

Uploaded by

Happy Plants BD

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

65 views52 pages

Topic01 Understanding DF

Uploaded by

Happy Plants BD

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 52

Understanding The Digital Forensics

Profession and Investigations

Dr. Abu Sayed Md. Mostaﬁzur Rahaman
Professor
Department of Computer Science and Engineering
Jahangirnagar University
AN OVERVIEW OF DIGITAL FORENSICS

 Digital forensics
– The application of computer science and investigative procedures for a legal
purpose
• involving the analysis of digital evidence after proper search authority, chain of custody,
use of validated tools, repeatability, reporting, and possible expert presentation.
– In October 2012, an ISO standard for digital forensics was ratiﬁed - ISO 27037
Information technology - Security techniques

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 2

AN OVERVIEW OF DIGITAL FORENSICS (CONT…)

 The Federal Rules of Evidence (FRE) was created to ensure

consistency in federal proceedings
– Signed into law in 1973
– Many states’ rules map to the FRE
 FBI Computer Analysis and Response Team (CART) was formed in
1984 to handle cases involving digital evidence
 By late 1990s, CART teamed up with Department of Defense Computer
Forensics Laboratory (DCFL) for research and training

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 3

AN OVERVIEW OF DIGITAL FORENSICS (CONT…)

 The Fourth Amendment to the U.S. Constitution protects everyone’s

right to be secure from search and seizure
– Separate search warrants might not be necessary for digital evidence
 Every U.S. jurisdiction has case law related to the admissibility of
evidence recovered from computers and other digital devices

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 4

DIGITAL FORENSICS AND OTHER RELATED DISCIPLINES

 Investigating digital devices includes:

– Collecting data securely
– Examining suspect data to determine details such as origin and content
– Presenting digital information to courts
– Applying laws to digital device practices
 Digital forensics is different from data recovery
– Which involves retrieving information that was deleted by mistake or lost during a
power surge or server crash

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 5

DIGITAL FORENSICS AND OTHER RELATED DISCIPLINES

 Forensics investigators often work as part of a team, known as the

investigations triad

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 6

DIGITAL FORENSICS AND OTHER RELATED DISCIPLINES

 Vulnerability/threat assessment and risk management

– Tests and veriﬁes the integrity of stand-along
workstations and network servers
 Network intrusion detection and incident response
– Detects intruder attacks by using automated tools
and monitoring network ﬁrewall logs
 Digital investigations
– Manages investigations and conducts forensics
analysis of systems suspected of containing evidence

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 7

PREPARING FOR DIGITAL INVESTIGATIONS

 Digital investigations fall

into two categories:
– Public-sector investigations
– Private-sector investigations

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 8

PREPARING FOR DIGITAL INVESTIGATIONS

 Public-sector investigations involve government agencies responsible

for criminal investigations and prosecution
 Fourth Amendment to the U.S. Constitution
– Restrict government search and seizure
 The Department of Justice (DOJ) updates information on computer
search and seizure regularly
 Private-sector investigations focus more on policy violations

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 9

UNDERSTANDING LAW ENFORCEMENT AGENCY INVESTIGATIONS

 When conducting public-sector investigations, you must understand

laws on computer-related crimes including:
– Standard legal processes
– Guidelines on search and seizure
– How to build a criminal case
 The Computer Fraud and Abuse Act was passed in 1986
– Speciﬁc state laws were generally developed later

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 10

FOLLOWING LEGAL PROCESSES

 Digital Evidence First Responder (DEFR)

– Arrives on an incident scene, assesses the situation, and takes precautions to
acquire and preserve evidence
 Digital Evidence Specialist (DES)
– Has the skill to analyze the data and determine when another specialist should be
called in to assist
 Aﬃdavit - a sworn statement of support of facts about or evidence of a
crime
– Must include exhibits that support the allegation

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 11

UNDERSTANDING PRIVATE-SECTOR INVESTIGATIONS

 Private-sector investigations involve private companies and lawyers

who address company policy violations and litigation disputes
– Example: wrongful termination
 Businesses strive to minimize or eliminate litigation
 Private-sector crimes can involve:
– E-mail harassment, falsiﬁcation of data, gender and age discrimination,
embezzlement, sabotage, and industrial espionage

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 12

UNDERSTANDING PRIVATE-SECTOR INVESTIGATIONS…

 Businesses can reduce the risk of litigation by publishing and

maintaining policies that employees ﬁnd easy to read and follow

 Most important policies deﬁne rules for using the company’s

computers and networks
– Known as an “Acceptable use policy”

 Line of authority - states who has the legal right to initiate an

investigation, who can take possession of evidence, and who can have
to access to evidence

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 13

UNDERSTANDING PRIVATE-SECTOR INVESTIGATIONS…

 Business can avoid litigation by displaying a warning banner on

computer screens
– Informs end users that the organization reserves the right to inspect computer
systems and network traﬃc at will

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 14

UNDERSTANDING PRIVATE-SECTOR INVESTIGATIONS…

 Sample text that can be used in internal warning banners:

– Use of this system and network is for oﬃcial business only
– Systems and networks are subject to monitoring at any time by the owner
– Using this system implies consent to monitoring by the owner
– Unauthorized or illegal users of this system or network will be subject to
discipline or prosecution

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 15

UNDERSTANDING PRIVATE-SECTOR INVESTIGATIONS…

 During private investigations, you search for evidence to support

allegations of violations of a company’s rules or an attack on its assets

 Three types of situations are common:

– Abuse or misuse of computing assets
– E-mail abuse
– Internet abuse

 A private-sector investigator’s job is to minimize risk to the company

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 16

UNDERSTANDING PRIVATE-SECTOR INVESTIGATIONS…?

 The distinction between personal and company computer property can

be diﬃcult with cell phones, smartphones, personal notebooks, and
tablet computers

 Bring your own device (BYOD) environment

– Some companies state that if you connect a personal device to the business
network, it falls under the same rules as company property

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 17

MAINTAINING PROFESSIONAL CONDUCT

 Professional conduct - includes ethics, morals, and standards of

behavior
 An investigator must exhibit the highest level of professional behavior
at all times
– Maintain objectivity
– Maintain credibility by maintaining conﬁdentiality
 Investigators should also attend training to stay current with the latest
technical changes in computer hardware and software, networking,
and forensic tools

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 18

PREPARING A DIGITAL FORENSICS INVESTIGATION

 The role of digital forensics professional is to gather evidence to prove

that a suspect committed a crime or violated a company policy

 Collect evidence that can be offered in court or at a corporate inquiry

– Investigate the suspect’s computer
– Preserve the evidence on a different computer

 Chain of custody
– Route the evidence takes from the time you ﬁnd it until the case is closed or goes
to court

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 19

AN OVERVIEW OF A COMPANY POLICY VIOLATION

 Employees misusing resources can cost companies millions of dollars

 Misuse includes:
– Surﬁng the Internet
– Sending personal e-mails
– Using company computers for personal tasks

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 20

TAKING A SYSTEMATIC APPROACH

 Steps for problem solving

– Make an initial assessment about the type of case you are investigating

– Determine a preliminary design or approach to the case

– Create a detailed checklist

– Determine the resources you need

– Obtain and copy an evidence drive

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 21

TAKING A SYSTEMATIC APPROACH

 Steps for problem solving (cont’d)

– Identify the risks

– Mitigate or minimize the risks

– Test the design

– Analyze and recover the digital evidence

– Investigate the data you recover

– Complete the case report

– Critique the case

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 22

ASSESSING THE CASE

 Systematically outline the case details

– Situation
– Nature of the case
– Speciﬁcs of the case
– Type of evidence
– Known disk format
– Location of evidence
 Based on these details, you can determine the case requirements

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 23

PLANNING YOUR INVESTIGATION

 A basic investigation plan should include the following activities:

– Acquire the evidence
– Complete an evidence form and establish a chain of custody
– Transport the evidence to a computer forensics lab
– Secure evidence in an approved secure container

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 24

PLANNING YOUR INVESTIGATION

 A basic investigation plan (cont’d):

– Prepare your forensics workstation
– Retrieve the evidence from the secure container
– Make a forensic copy of the evidence
– Return the evidence to the secure container
– Process the copied evidence with computer forensics tools

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 25

PLANNING YOUR INVESTIGATION

 An evidence custody form helps you document what has been done
with the original evidence and its forensics copies
– Also called a chain-of-evidence form
 Two types
– Single-evidence form
• Lists each piece of evidence on a separate page
– Multi-evidence form

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 26

PLANNING YOUR INVESTIGATION

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 27

PLANNING YOUR INVESTIGATION

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 28

SECURING YOUR EVIDENCE

 Use evidence bags to secure and catalog the evidence

 Use computer safe products when collecting computer evidence

– Antistatic bags
– Antistatic pads

 Use well padded containers

 Use evidence tape to seal all openings

– CD drive bays
– Insertion slots for power supply electrical cords and USB cables

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 29

SECURING YOUR EVIDENCE

 Write your initials on tape to prove that evidence has not been
tampered with

 Consider computer speciﬁc temperature and humidity ranges

– Make sure you have a safe environment for transporting and storing it until a
secure evidence container is available

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 30

PROCEDURES FOR PRIVATE-SECTOR HIGH-TECH INVESTIGATIONS

 As an investigator, you need to develop formal procedures and

informal checklists
– To cover all issues important to high-tech investigations
– Ensures that correct techniques are used in an investigation

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 31

EMPLOYEE TERMINATION CASES

 The majority of investigative work for termination cases involves

employee abuse of corporate assets
 Incidents that create a hostile work environment are the predominant
types of cases investigated
– Viewing pornography in the workplace
– Sending inappropriate e-mails
 Organizations must have appropriate policies in place

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 32

INTERNET ABUSE INVESTIGATIONS

 To conduct an investigation you need:

– Organization’s Internet proxy server logs
– Suspect computer’s IP address
– Suspect computer’s disk drive
– Your preferred computer forensics analysis tool

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 33

INTERNET ABUSE INVESTIGATIONS

 Recommended steps
– Use standard forensic analysis techniques and procedures
– Use appropriate tools to extract all Web page URL information
– Contact the network ﬁrewall administrator and request a proxy server log
– Compare the data recovered from forensic analysis to the proxy server log
– Continue analyzing the computer’s disk drive data

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 34

E-MAIL ABUSE INVESTIGATIONS

 To conduct an investigation you need:

– An electronic copy of the offending e-mail that contains message header data
– If available, e-mail server log records
– For e-mail systems that store users’ messages on a central server, access to the
server
– Access to the computer so that you can perform a forensic analysis on it
– Your preferred computer forensics analysis tool

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 35

E-MAIL ABUSE INVESTIGATIONS

 Recommended steps
– Use the standard forensic analysis techniques
– Obtain an electronic copy of the suspect’s and victim’s e-mail folder or data
– For Web-based e-mail investigations, use tools such as FTK’s Internet Keyword
Search option to extract all related e-mail address information
– Examine header data of all messages of interest to the investigation

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 36

ATTORNEY-CLIENT PRIVILEGE INVESTIGATIONS

 Under attorney-client privilege (ACP) rules for an attorney

– You must keep all findings confidential
 Many attorneys like to have printouts of the data you have recovered
– You need to persuade and educate many attorneys on how digital evidence can
be viewed electronically
 You can also encounter problems if you find data in the form of binary
files

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 37

ATTORNEY-CLIENT PRIVILEGE INVESTIGATIONS

 Steps for conducting an ACP case

– Request a memorandum from the attorney directing you to start the investigation
– Request a list of keywords of interest to the investigation
– Initiate the investigation and analysis
– For disk drive examinations, make two bit-stream images using different tools for
each image
– Compare hash signatures on all ﬁles on the original and re-created disks

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 38

ATTORNEY-CLIENT PRIVILEGE INVESTIGATIONS

 Steps for conducting an ACP case (cont’d)

– Methodically examine every portion of the disk drive and extract all data
– Run keyword searches on allocated and unallocated disk space
– For Windows OSs, use specialty tools to analyze and extract data from the
Registry
– For binary data ﬁles such as CAD drawings, locate the correct software product
– For unallocated data recovery, use a tool that removes or replaces nonprintable
data

Guide to Computer Forensics and Investigations Fifth Edition asmmr@juniv.edu 39

ATTORNEY-CLIENT PRIVILEGE INVESTIGATIONS

 Steps for conducting an ACP case (cont’d)

– Consolidate all recovered data from the evidence bit-stream image into folders
and subfolders
 Other guidelines
– Minimize written communications with the attorney
– Any documentation written to the attorney must contain a header stating that it’s
“Privileged Legal Communication—Conﬁdential Work Product”
– Assist the attorney and paralegal in analyzing data