SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 3 Computer Investigation Process Mohd Taufik...

SAK 4801 INTRODUCTION TO COMPUTER FORENSICSChapter 3 Computer Investigation Process

Mohd Taufik AbdullahDepartment of Computer Science

Faculty of Computer Science and Information TechnologyUniversity Putra of Malaysia

Portions of the material courtesy Professor EC-Council

2 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics

Learning Objectives• Explain how to prepare a computer

investigation• Apply a systematic approach to an

investigation• Describe procedures for corporate

high-tech investigations• Explain requirements for data

recovery workstations and software• Describe how to conduct an

investigation• Explain how to complete and critique

a case


Chapter 3 Outline

3. Computer Investigation Process 3.1. Introduction 3.2. Investigating Computer Crime 3.3. Investigating Company Policy Violations

3.4. Conducting a Computer Forensic Investigation

3.1 Introduction


3.1 Introduction Computer forensics differs from other forensic science Electronic evidence is collected and examined

Although fingerprints or other evidence may also be obtained from the devices collected at a crime scene, a computer forensic technician will use specialized methods, techniques, and tools to acquire data stored on digital storage media.


3.1 Introduction (Cont.) Once the data is acquired from a device, the computer forensic technician will then examine it to identify which files, folders, or information may be useful as evidence, and can provide facts about the case.

Although computer forensics is commonly used in criminal cases, it may also be used in civil disputes or corporate investigations, such as


3.1 Introduction (Cont.) When internal policies have been violated , for example When an employee is suspected of using computing to perform some action that violates policies, the files, e-mail, and other data on the computer may be inspected.

Because there is the possibility that the violations could lead to criminal charges or civil actions against the employee, it is important that forensic procedures are followed.


3.1 Introduction (Cont.) Collecting such evidence requires following established procedures, and can take considerable amounts of time to ensure it is collected correctly. Because it may reveal the identity of a culprit and be used to establish the guilt or innocence of people, it is vital that the data aren’t modified as they are acquired, or altered afterwards when the data are examined.

Any actions and documented in case this information is required in court.


3.1 Introduction (Cont.) Files stored on computers are often used in place of other record systems, and may contain a significant amount of information that can be employed to convict a suspect or prove their innocence.

For example, in homicide investigation, A suspect may have written about their plains in a diary on the computer, or a blog on the Internet.


3.1 Introduction (Cont.) Investigating computer crime

Determine if there has been an incident

Find and interpret the clues left behind

Do preliminary assessment to search for the evidence

Search and seize the computer equipments

3.2 Investigation Computer Crime


3.2.1 How an Investigation Starts Plan your investigation A basic investigation plan should include the

following activities: Acquire the evidence Complete an evidence form and establish a chain of

custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container Prepare a forensics workstation Obtain the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics

tools


3.2.1 How an Investigation Starts (Cont.) An evidence custody form helps you document

what has been done with the original evidence and its forensics copies

Two types Single-evidence form

Lists each piece of evidence on a separate page

Multi-evidence form


3.2.1 How an Investigation Starts (Cont.)


3.2.1 How an Investigation Starts (Cont.)


3.2.1 How an Investigation Starts (Cont.) When crimes are committed using

computers, often the only evidence available to prosecute the person who committed the offense format. Illegal images will only be stored on a hard disk or other media

Proof of an intruder’s activities may be stored in log files


3.2.1 How an Investigation Starts (Cont.) Documents containing evidence of the

crime are only available by investigating computers used in the crime or

Those subjected to the crime By examining the digital contents of these computers, an investigation can reach a successful conclusion: Prosecuting the culprit Using information acquired from investigation to make existing systems more secure.


3.2.1 How an Investigation Starts (Cont.) Investigations always start with a

crime being committed and someone noticing it.

For an investigation to begin, someone must notice the crime has happened and report it to the appropriate authorities. If no complaint is made, the person gets away with the crime.

The key role in any investigation is the complainant (plantiff)


3.2.1 How an Investigation Starts (Cont.) People typically perform three major

roles when conducting an investigation.These roles are: First Responder Investigator Crime Scene Technician

First responder (a complainant) Identifies and protects crime scene Preserves volatile evidence


3.2.1 How an Investigation Starts (Cont.) Investigator (may be a member of law

enforcement or the computer incident response team) Establishes Chain of Command Conducts search of crime scene Maintains integrity of evidence


3.2.1 How an Investigation Starts (Cont.) Crime scene technician (individuals

who have been trained in computer forensics)

Preserves volatile evidence and duplicates disks

Shuts down systems for transport Tags and logs evidence Packages and transports evidence Processes evidence


3.2.2 Investigation Methodology Investigation methodology is the

practices, procedures, and techniques used to collect, store, analyze, and present information and evidence that is obtained through a computer forensics investigation. The individual steps to perform these tasks may vary from case to case and depend on the types of software and equipment used

Common practices will always be consistent.


3.2.2 Investigation Methodology (Cont.) The methodology of a computer

forensics investigation can be divided into three basic stages: Acquisition Authentication Analysis


3.2.2 Investigation Methodology (Cont.) Acquisition

The act or process of gathering information and evidence

The evidence in computer forensics is the data stored on the computer and not the computer that is been seized.

The data will be used to provide insight into the detail of a crime or other incident, and be used as evidence to convict a suspect.

Make an exact copy of everything stored on the hard disk.


3.2.2 Investigation Methodology (Cont.) Authentication

A process of ensuring that the acquired evidence is the same as the data that was originally seized. If the data that’s been acquired from a computer were corrupted, modified, or missing from the imaging process, it would not only affect your ability to accurately examine the machine’s contents, but could also make all of the evidence you find on the computer inadmissible in court.


3.2.2 Investigation Methodology (Cont.) Analysis

A process of examining and evaluating information.

When examining computer files, it is vital that they aren’t modified in any way.

This not only refers to changing the information in the file itself (such as by accidentally changing the values entered in a spreadsheet), but also modifying the properties of the file.

For example, open a file could change the date and time property that shows when the file was last accessed.


3.2.3 The Role of Evidence Identifies what evidence is present, and where it is located

Investigators must follow the rules of evidence depending on the laws of the locality where the crime has been committed

For example, if someone broke into server room and changed permissions on the server – the room and the server would be where you would find evidence.

Identifies how the evidence can be recovered.

Photographs the screen of a computer to record any volatile data displayed

Collects backup media


3.2.3 The Role of Evidence (Cont.) The finding from evidence admitted in

a criminal case can be used in a civil court and vice versa

The latest rules regarding digital evidence are updated in the US Department of Justice web site www.usdoj.gov.


3.2.4 Securing Evidence Securing evidence is a process that begins when a crime is first suspected, and continues after examination has been completed. If a trial, civil suit, or disciplinary hearing has ended, the evidence must remain secure in case of an appeal or other processes.

The integrity of evidence must be retained, so that original evidence is preserved in a state as close as possible to when it was initially acquired.


3.2.4 Securing Evidence (Cont.) If evidence are lost, altered, or

damaged, then you may not be able to even mention it in court

The credibility of how evidence was collected and examined may be called into question, making other pieces of evidence inadmissible as well

Evidence acquired from the crime scene depends upon the nature of the case and the alleged crime or violation.


3.2.4 Securing Evidence (Cont.) Standard tools to help secure at a

crime scene include: Digital camera • Screwdriver Sketchpad • Evidence bags Pencils • Needle-nose pliers Tape • Bolt cutters Gloves


3.2.4 Securing Evidence (Cont.) Evidence for a case may include an

entire computer and associated media includes: Securing the crime scene Volatile evidence (lost when a system is powered off or if power is disrupted), order of volatility as

Registers and cache Routing tables, ARP cache, process

tables, and kernel statistics Contents of system memory Temporary file systems Data on disk


3.2.4 Securing Evidence (Cont.) Sterilize all the media to be used in

the examination process Enter the crime scene, take snapshot of the scene and then carefully scan the data sources

Retain and document the state and integrity of items at the crime scene


3.2.4 Securing Evidence (Cont.) Taking custody of the entire

computer including hardware peripherals such keyboard, mouse and monitor. All floppy diskettes and other removable

media must be confiscated and taken to the forensic lab, for preservation and duplication

Use evidence bags to secure and catalog the evidence

Use computer safe products Antistatic bags Antistatic pads


3.2.4 Securing Evidence (Cont.) Use evidence tape to seal all

openings Floppy disk or CD/VCD drives USB drive Power supply electrical cord

Write your initials on tape to prove that evidence has not been tampered with

Consider computer specific temperature and humidity ranges

Use well padded containers Transport the evidence to the

forensic facility


3.2.5 Chain of Evidence Form Also known as chain of custody Route the evidence takes from the time you find it until the case is closed or goes to court

Important because It proves where a piece of evidence was at any given time and who was responsible for it.

You can establish that the integrity of evidence was not compromised.


3.2.5 Chain of Evidence Form (Cont.) Example


3.2.6 Before Investigating Following points should be kept in mind before starting the investigation: Have skilled professionals Work station and data recovery lab Alliance with a local District Attorney Define the methodology


3.2.6 Before Investigating (Cont.) When a crime does occur, certain

actions must also be taken before attempting to acquire evidence from a machine Preparing for an investigation Interviewing Search warrants


3.2.6 Before Investigating (Cont.) Preparing for an investigation

Following points need to be considered: Good understanding of the technical, legal, and evidentiary aspects of computers and networks

Proper methodology Steps for collecting and preserving the evidence

Steps for performing forensic analysis


3.2.6 Before Investigating (Cont.) Interviewing

Usually conducted to collect information from a witness or suspect About specific facts related to an investigation

Search warrants A legal document that permits members of law enforcement to search a specific location for evidence related to a criminal investigation, and possibly seize that evidence so it can be analyzed and possibly used in court


3.2.6 Before Investigating (Cont.) Executes the investigation

To carry out an investigation a search warrant from a court is required

Warrants can be issued for: Entire company Floor Room Just a device Car House Any Company Property


3.2.7 Professional Conduct Maintain the professional conduct at all times in an investigation This determines the credibility of a forensic investigator

Investigators must display the highest level of ethics and integrity This indicates how you are handling the case as a whole

Maintain a balance of morality and objectivity


3.2.7 Professional Conduct (Cont.) Professional detachment

Placing all of your attention on the work rather than the emotional or psychological stress factors that may be involved

Confidentiality is an essential feature which all forensic investigators must keep

Keep information about the case private and not reveal information to those who are not directly involved in the investigating the incident.

3.3 Investigating Company Policy Violation


3.3.1 Policy and Procedure Development Policy Violations All employees of the company should

be informed of the company policy Employees using company’s resources for personal use not only waste company’s time and resources but they also violate company policy Employees misusing resources can cost companies millions of dollars


3.3.1 Policy and Procedure Development Policy Violations(Cont.) Misuse includes:

Surfing the Internet Sending personal e-mails Using company computers for personal tasks

Such employees should be traced and educated about the company policy

If the problem persists, action should be taken


3.3.2 Employee Termination Cases Majority of investigative work for

termination cases involves employee abuse of corporate assets

Internet abuse investigations To conduct an investigation you need: Organization’s Internet proxy server logs

Suspect computer’s IP address Suspect computer’s disk drive Your preferred computer forensics analysis tool


3.3.2 Employee Termination Cases (Cont.) Recommended steps

Use standard forensic analysis techniques and procedures

Use appropriate tools to extract all Web page URL information

Contact the network firewall administrator and request a proxy server log

Compare the data recovered from forensic analysis to the proxy server log

Continue analyzing the computer’s disk drive data


3.3.2 Warning Banners Warning banner is a text flashes at the point of access to a company computer.

Two items that sould appear: Text that states the ownership of the computer

Text that specifies appropriate use of the machine or Internet acces.


3.3.2 Warning Banners Flashes at the point of access Warns both authorized and unauthorized users

Unauthorized usage of the banner policy makes it easier to conduct investigation

Employees working are warned about the consequences if the companies policies are violated


3.3.2 Warning Banners (Cont.) Example of warning banners

3.4 Conducting a Computer Forensic

Investigation


3.4.1 The Investigation Process To perform an investigation property,

it is important to follow set procedures, which detail the steps to be taken.

Follows these guidelines will: help you meet the goals of an incident.

Provide information that can be used to handle the incident

Avoid escalate into a more significant problem


3.4.1 The Investigation Process (Cont.) Six steps should be followed:

Preparation Detection Containment Eradication Recovery Follow-up


3.4.1 The Investigation Process (Cont.) Preparation

Preparation enables easy coordination among staffs

Providing baseline protection Using virus detection and eradication tools Providing training to the staffs

Detection This involves validating, identifying and reporting

the incident Determining the symptoms given in ‘how to

identify an incident’


3.4.1 The Investigation Process (Cont.) Identifying the nature of the incident

Identify the events Protect the evidence Logging and making a report of whatever anomalies had occurred.

Some of the important symptoms that can be found: Intrusion detection system, because as an intrusion is traced by it an alarm starts, which make everybody alert about the incident


3.4.1 The Investigation Process (Cont.) If a person continuously tries to

login unsuccessfully, into the systems to gain some unauthorized access

If the presence of new files or folders is found. This should be looked into seriously because that can be A virus, Worm, or Any malicious code


3.4.1 The Investigation Process (Cont.) Containment

Limit the extent and intensity of an incident as quickly as possible

Avoid potentially compromising code like FTP downloads

Carry the data to any other secure network

Use of intrusion detection system to track hacker

Making complete backups of infected systems

Change the passwords of all the unaffected systems in the LAN.


3.4.1 The Investigation Process (Cont.) Eradication

In this stage the documents are looked into to find and remove the cause of incident

Use standard anti-virus tools to remove virus/worms from storage medias

Determine cause and symptom Improve security measures by enabling firewalls, router filters or assigning new IIP address

Perform vulnerability analysis


3.4.1 The Investigation Process (Cont.) Recovery

Determine the course and actions Monitor and validate systems Determine integrity of the backup itself by attempting to read its data

Verify success of operation and normal condition of system

Monitor the system by network loggers, system log files and potential back doors.


3.4.1 The Investigation Process (Cont.) Follow-up

Revise policies and procedures from the lessons learnt from the past

Determine the staff time required and perform the following cost analysis: Associated cost Extent to which the incidents disrupted the organization

Data lost and its value Damaged hardware and its cost


3.4.2 Evidence Assessment Processing evidence is a four-part set of procedures consisting of assessment, acquisition, examination, and documentation.

Evidence assessment is the first part of this process, and involves evaluating issues related to the case and the digital evidence that’s being sought.

Requires reviewing The search warrant or details of legal authorization to obtain the evidence,

The details of the case


3.4.2 Evidence Assessment (Cont.) Hardware and software that may be

involved, and The evidence you hope to acquire for later evaluation


3.4.3 Acquiring Evidence The following steps are performed to collect the evidence: Find the evidence Discover the relevant data Prepare an Order of Volatility Eradicate external avenues of alter Gather the evidence Prepare chain of custody


3.4.3 Acquiring Evidence (Cont.) Imaging the Evidence Disk

Capture an accurate image of the system as soon as possible.

The forensic copy can be created using various techniques such as: Using MS-DOS to create bit- stream copy of a floppy disk / Hard disk

Using Imaging software to acquire bit-stream copy of floppy disk / Hard disk


3.4.3 Acquiring Evidence (Cont.) Understanding Bit-stream Copies


3.4.3 Acquiring Evidence (Cont.)Understanding Bit-stream Copies

Bit-stream copy Bit-by-bit copy of the original storage medium

Exact copy of the original disk Different from a simple backup copy Backup software only copy known files

Backup software cannot copy deleted files, e-mail messages or recover file fragments


3.4.3 Acquiring Evidence (Cont.)Bit-stream image

File containing the bit-stream copy of all data on a disk or partition

Also known as forensic copy


3.4.4 Evidence Examination Analysis can be carried out using various forensic analysis tool such as EnCase, AccessData etc.

Working from an image of the original machine, files and other data can be extracted from the image to separate files, which can then be reviewed by the examiner.

Extraction of evidence from a hard disk can occur at either of two levels: Logical extraction Physical extraction


3.4.5 Documenting and Reporting of Evidence Investigators document their evidence

by creating an evidence form Evidence forms must be updated based on the changing technology and methods in recovering data

Functions of the evidence form include: Identify the evidence Identifying the investigator handling the case

Lists of the dates and the time that the case was handled


3.4.5 Documenting and Reporting of Evidence (Cont.) Example of evidence form


3.4.6 Closing the Case The investigator should include what was done and results in the final report

Basic report includes: who,what,when,where and how

In a good computing investigation the steps can be repeated and the result obtained are same every time

The report should explain the computer and network processes

Explanation should be provided for various processes and the inner working of the system and its various interrelated components

Summary


Summary Take a systematic approach to the investigations

Take into account the nature of the case,instruction, and tools while planning the case

Apply standard problem-solving techniques

Always maintain a journal to make notes of everything

Create bit-stream copies of files using either the Diskcopy DOS utility or the Image tool

Keep track of the chain of custody of your evidence

End of Chapter 3

Date post:	27-Dec-2015
Category:	Documents
Upload:	sibyl-charles
View:	222 times
Download:	1 times