Guide to Computer Forensics

and Investigations
i to
go I i.mx Id l l b

w n w ai do I d s

Chapter 1
Understanding the Digital Forensics
Profession and Investigations
 An Overview

• Computer forensics (now typically called digital forensics)

– Involves obtaining and analyzing digital information
• As evidence in civil, criminal, or administrative cases
e
g w da ins fi

Guide to Computer Forensics and Investigations 0

 s
An Overview (continued)
yi.ws

• The former director of the Defense Computer

Forensics Lab, Ken Zatyko, defined it as:
– “the application of computer science and investigative
Is
procedures for a legal purpose involving the analysis
ii id of digital evidence (information of probative value that
g it
is stored or transmitted in binary format) after proper
search authority, chain of custody, validation with
is so a o is
i iisicy mathematics (hash function), use of validated tools,
in naw i
repeatability, reporting and possible expert
presentation ”

Guide to Computer Forensics and Investigations 0

 An Overview (continued)

• FBI Computer Analysis and Response Team (CART)

– Formed in 1984 to handle the increasing number of
cases involving digital evidence

Guide to Computer Forensics and Investigations 0

 An Overview (continued)

• Fourth Amendment to the U.S. Constitution

– T Protects everyone’s rights to be secure in their
o aaa
person, residence, and property
• From search and seizure

– Search warrants are needed

I Is
to

Guide to Computer Forensics and Investigations 0

 Digital Forensics and Other Related
Disciplines
• Digital forensics
iW Hisfling si Lissa Gj W
– Investigates data that can be retrieved from a computer’s hard
disk or other storage media
• Network forensics
– Yields information about how an attacker gained access to a
Lg
pit
network, along with files that might have been copied, examined,
or tampered with
– Uses log files: when, how, and from where users logged on, and
accessed URLs
• Data recovery fi ss9
– Recovering information that was deleted by mistake or lost during
a power surge or server crash

Guide to Computer Forensics and Investigations 0

 Digital Forensics and Other Related
Disciplines (continued)
• Digital forensics
– Task of recovering data that users have hidden or
deleted and using it as evidence
– Evidence can be inculpatory (“incriminating”) or
exculpatory (clears the suspect)

AS I I

lift I gl I

Guide to Computer Forensics and Investigations 0

 Digital Forensics and Other Related
Disciplines (continued)
Computing Security Team:
Vuln
Net
erabi
wor
lity/
k
Thre
Intru
This group tests for at
sion This group detects
vulnerabilities of OSs Asse intruder attacks and
and applications used Dete
ssme responds
in the network ction
nt
and
and
a Is Inci
eggsa Risk
Digital Investigations
dent
Man
Resp
age
onse
This groupment
O
manages investigations and conducts
forensics analysis of systems containing evidence

Figure 1-1: The investigations triad

Guide to Computer Forensics and Investigations 0
 A Brief History of Digital Forensics
• By the 1970s, electronic crimes were increasing,
especially in the financial sector
– Most law enforcement officers didn’t know enough
about computers to ask the right questions
• Or to preserve evidence for trial
• 1980s
– PCs gained popularity and different OSs emerged
– Disk Operating System (DOS) was available
– Forensics tools were simple, and most were
generated by government agencies

Guide to Computer Forensics and Investigations 0

 A Brief History of Digital Forensics
(continued)
• Mid-1980s
– Xtree Gold appeared on
the market
• Recognized file types and
retrieved lost or deleted
files
– Norton DiskEdit soon
followed
• And became the best tool
for finding deleted file

Guide to Computer Forensics and Investigations 0

 A Brief History of Digital Forensics
(continued)
• 1987
– Apple produced the
Mac SE
• A Macintosh with an
external EasyDrive
hard disk with 60 MB
of storage

Guide to Computer Forensics and Investigations 0

 A Brief History of Digital Forensics
(continued)
• Early 1990s
– Tools for computer forensics were available
– International Association of Computer
Investigative Specialists (IACIS)
• Training on software for forensics investigations
– IRS created search-warrant programs
– ExpertWitness for the Macintosh
• First commercial GUI software for computer forensics
• Created by ASR Data
• Recovers deleted files and fragments of deleted files

Guide to Computer Forensics and Investigations 0

 A Brief History of Digital Forensics
(continued)
• Early 1990s (continued)
– Large hard disks posed problems for investigators
• Most DOS-based SW didn’t recognize a hard disk larger
than 8GB
– Other software
• iLook
• AccessData Forensic Toolkit (FTK)

Guide to Computer Forensics and Investigations 0

 Understanding Case Law
• Technology is evolving at an exponential pace
– Existing laws and statutes can’t keep up with change
co w sips a ion i n
• Case law used when statutes or regulations don’t exist

• Case law allows legal counsel to use previous cases similar to the
current one
a µ g og is
– Because the laws don’t yet exist aa a x is a

• Each case is evaluated on its own features and issues

DIDI

Guide to Computer Forensics and Investigations 0

 Developing Digital Forensics
I I
s
ow
4.6
f pix
Resources
• You must know more than one computing platform
– Such as DOS, Windows 9x, Linux, Macintosh, and
current Windows platforms

• Join as many computer user groups as you can

• Computer Technology Investigators Network

(CTIN)
– Meets monthly to discuss problems that law
enforcement and corporations face

Guide to Computer Forensics and Investigations 0

 Developing Digital Forensics
Resources (continued)
• High Technology Crime Investigation
Association (HTCIA)
– Exchanges information about techniques related to
computer investigations and security
Is as job 51
• User groups can be helpful Io I iw

• Build a network of computer forensics experts and

other professionals
– And keep in touch through e-mail
• Outside experts can provide detailed information you
need to retrieve digital evidence

Guide to Computer Forensics and Investigations 0

 Preparing for Digital Investigations
• Digital investigations and forensics falls into two
distinct categories
– Public investigations wr n
– Private or corporate investigations w JI.si
• Public investigations
– Involve government agencies responsible for criminal

if
investigations and prosecution
s
– Organizations must observe legal guidelines
• Law of search and seizure
– Protects rights of all people, including suspects

Guide to Computer Forensics and Investigations 0

 Preparing for Digital Investigations
(continued)

if a y o s w
i a WH w us s
w 2.0

www.H w wN
r
siist Is aw

y w wi z b I
Ind g f o Q I ta w

Guide to Computer Forensics and Investigations 0

 Preparing for Digital Investigations
(continued)

Guide to Computer Forensics and Investigations 0

 Preparing for Digital Investigations
(continued)
• Private or corporate investigations
– Deal with private companies, non-law-enforcement
government agencies, and lawyers
– Aren’t governed directly by criminal law or Fourth
I
Amendment issues E
– Governed by internal policies that define expected
employee behavior and conduct in the workplace
• Private corporate investigations also involve litigation
disputes I I W
• Investigations are usually conducted in civil cases
m I

Guide to Computer Forensics and Investigations 0

 Understanding Law Enforcements
Agency Investigations
• In a criminal case, a suspect is charged with a
criminal offense
– Such as burglary, murder, or molestation
• Computers and networks maybe the only tools that
can be used to commit crimes m.uaIs fojawI I Kai dot a w sa

– Many states have added specific language to

criminal codes to define crimes involving computers
• Following the legal process
– Legal processes depend on local custom, legislative
standards, and rules of evidence I I info II

Guide to Computer Forensics and Investigations 0

2
 Understanding Law Enforcements
Agency Investigations (continued)
• Following the legal process (continued)
– Criminal case follows three stages
• The complaint, the investigation, and the prosecution

µ I iowa

Gas us
a
Guide to Computer Forensics and Investigations 0
 Understanding Law Enforcements
Agency Investigations (continued)
• Following the legal process (continued)
– A criminal case begins when someone finds
evidence of an illegal act Sb 81
– Complainant makes an allegation
– A police officer interviews the complainant and writes
a report about the crime
• Police blotter provides a record of clues to crimes
that have been committed previously
– Investigators delegate, collect, and process the
information related to the complaint

Guide to Computer Forensics and Investigations 0

 Understanding Law Enforcements
Agency Investigations (continued)
• Following the legal process (continued)
– After you build a case, the information is turned over
to the prosecutor
– Affidavit
• Sworn statement of support of facts about or evidence
of a crime
– Submitted to a judge to request a search warrant
• Have the affidavit notarized under sworn oath
– Judge must approve and sign a search warrant
• Before you can use it to collect evidence

Guide to Computer Forensics and Investigations 0

 Understanding Law Enforcements
Agency Investigations (continued)

Guide to Computer Forensics and Investigations 0

 Understanding Private-Sector
Investigations
• Private or corporate investigations
– Involve private companies and lawyers who address
company policy violations and litigation disputes
• Corporate computer crimes can involve:
– E-mail harassment s
g
– Falsification of data y
jO
– Gender and age discrimination
– Embezzlement
– Sabotage
– Industrial espionage I a a
c.IM

Guide to Computer Forensics and Investigations 0

 Understanding Private-Sector
Investigations (continued)
• Establishing company policies
– One way to avoid litigation is to publish and maintain
policies that employees find easy to read and follow Ii wwi a
info m
– Published company policies provide a line of authority
• For a business to conduct internal investigations
– Well-defined policies
• Give computer investigators and forensic examiners the
authority to conduct an investigation
• Displaying Warning Banners
– Another way to avoid litigation i Is f g ba fl Jimi
Jj jj 21
at Ej fl 4601 so 21 g
Guide to Computer Forensics and Investigations 0
 Understanding Private-Sector
Investigations (continued)
• Displaying Warning Banners (continued)
– Warning banner
• Usually appears when a computer starts or connects to
the company intranet, network, or virtual private network
• Informs end users that the organization reserves the right
to inspect computer systems and network traffic which
establishes the right to conduct an investigation
– As a corporate computer investigator
• Make sure company displays well-defined warning banner

Guide to Computer Forensics and Investigations 0

 Understanding Private-Sector
Investigations (continued)

0
Guide to Computer Forensics and Investigations 0
 Understanding Private-Sector
Investigations (continued)
• Designating an authorized requester
– Authorized requester has the power to conduct
investigations J
III 21 It w w s

• Should be defined by executive management

– Groups that should have direct authority to request
computer investigations
• Corporate Security Investigations
• Corporate Ethics Office
• Corporate Equal Employment Opportunity Office
• Internal Auditing
• The general counsel or Legal Department

Guide to Computer Forensics and Investigations 0

 Understanding Private-Sector
Investigations (continued)
• Conducting security investigations
– Types of situations
• Abuse or misuse of corporate assets
• E-mail abuse
• Internet abuse
– Be sure to distinguish between a company’s abuse
problems and potential criminal problems

I I i f pl E i b I

Guide to Computer Forensics and Investigations 0

 Understanding Private-Sector
Investigations (continued)
• Distinguishing personal and company property
– Many company policies distinguish between personal
and company computer property

– One area that’s difficult to distinguish involves PDAs,

cell phones, and personal notebook computers

– The safe policy is to not allow any personally owned

devices to be connected to company-owned resources
• Limiting the possibility of mixing personal and company
data andwifi saw r si s Fini
gi w I d
s o si I is q p
and it w a
Guide to Computer Forensics and Investigations E's b us 6 6
0
 Maintaining Professional Conduct
• Professional conduct
– Determines your credibility
– Includes ethics, morals, and standards of behavior
• Maintaining objectivity means you must form and
sustain unbiased opinions of your cases
• Maintain an investigation’s credibility by keeping the
case confidential a
– In the corporate environment, confidentiality is critical
• In rare instances, your corporate case might become
a criminal case as serious as murder

Guide to Computer Forensics and Investigations 0

 Maintaining Professional Conduct
s Hn j f A (continued)
• Enhance your professional conduct by continuing your
training
• Record your fact-finding methods in a journal
• Attend workshops, conferences, and vendor courses
• Membership in professional organizations adds to
your credentials
• Achieve a high public and private statuse and
maintain honesty and integrity

Guide to Computer Forensics and Investigations 0

 Summary
• Computer forensics applies forensics procedures to
digital evidence
• Laws about digital evidence established in the 1970s
• To be a successful computer forensics investigator,
you must know more than one computing platform
• Public and private computer investigations are
different

Guide to Computer Forensics and Investigations 0

 Summary (continued)
• Use warning banners to remind employees and
visitors of policy on computer and Internet use
• Companies should define and limit the number of
authorized requesters who can start an investigation
• Silver-platter doctrine refers to handing the results of
private investigations over to law enforcement
because of indications of criminal activity
• Computer forensics investigators must maintain
professional conduct to protect their credibility

Guide to Computer Forensics and Investigations 0