computer forensic

Computer Forensics: Investigation Procedures and

Response, Second Edition

Chapter 3 Computer Investigation Process

© Cengage Learning 2017

Objectives

After completing this chapter, you should be able to: • Investigate computer crime • Develop policies and procedures • Investigate a company policy violation • Understand the methodology of investigation • Evaluate a case (perform case assessment) • Develop and follow an investigation plan • Obtain a search warrant

2 Computer Forensics: Investigation Procedures and Response, Second Edition

© Cengage Learning 2017

Objectives

After completing this chapter, you should be able to (cont’d): • Understand warning banners • Collect evidence • Implement an investigation • Image an evidence disk • Examine digital evidence • Close a case • Evaluate a case

3 Computer Forensics: Investigation Procedures and

Response, Second Edition

© Cengage Learning 2017

Introduction to Computer Investigation

• This chapter: – Introduces the concept of computer investigation – Shows the steps involved in investigating computer

crime

Computer Forensics: Investigation Procedures and Response, Second Edition

4

© Cengage Learning 2017

Investigating Computer Crime

• Incident – An event that threatens the security of a computer

system or network in an organization • An investigator must verify any complaints related

to an intrusion • Intrusion detection system alert

– May only indicate an attempted, unsuccessful intrusion

– Or it might be a false alarm

Computer Forensics: Investigation Procedures and Response, Second Edition

5

© Cengage Learning 2017

Policy and Procedure Development

• Types of policies and procedures – Mission statement – Personnel requirements for the computer forensic

unit – Administrative considerations

• Software licensing • Resource commitment • Training

– Submission and retrieval of computer forensic service requests

– Implementation of case-management procedures Computer Forensics: Investigation Procedures and Response, Second Edition

6

© Cengage Learning 2017

Policy and Procedure Development

• Types of policies and procedures (cont’d) – Handling of evidence – Development of case-processing procedures – Development of technical procedures

• Identifying the task or problem • Proposing possible solutions • Testing each solution on a known control sample • Evaluating the results of the test • Finalizing the procedure

Computer Forensics: Investigation Procedures and Response, Second Edition

7

© Cengage Learning 2017

Investigating a Company Policy Violation

• Every company has a predefined set of policies that each employee has to follow – Regarding the use of computer equipment owned by

the company • Properly drafted company policies regarding the

use of electronic media – Can eliminate the chance of an employee

compromising privacy during information retrieval

Computer Forensics: Investigation Procedures and Response, Second Edition

8

© Cengage Learning 2017

Implementing and Enforcing Company Policy

• Company needs to inform each employee of the company policy for effective implementation

• Company policy violations – Forensic examiners or investigators are called in to

perform internal investigations – An investigator should follow a standard

methodology – Motive behind company policy violation investigation

is not always to take punitive steps

Computer Forensics: Investigation Procedures and Response, Second Edition

9

© Cengage Learning 2017

Policy Violation Case Example • Mike is suspected of conducting his own business

using a company computer – Situation: employee abuse case – Nature of the case: side business – Specifics about the case: employee is reportedly

conducting a side business on his computer – Type of evidence: USB flash drive – OS: Windows 7 – Known disk format: FAT32 – Location of evidence: disk that a manager found

near Mike’s computer Computer Forensics: Investigation Procedures and

Response, Second Edition 10

© Cengage Learning 2017

Policy Violation Case Example • Based on case details, you determine:

– Type of evidence: Mike was conducting his own business using his employer’s computer

– Computer forensics tools: tools for duplicating the USB flash drives and finding deleted and hidden files

– Special operating systems: any OSs that have been installed on company computer by the suspect

Computer Forensics: Investigation Procedures and Response, Second Edition

11

© Cengage Learning 2017

Before Starting the Investigation

• Preliminary requirement for an investigation: a skilled technician on the team – Technician should be capable enough to analyze

and acquire a variety of evidence • Second foremost requirement: workstation or data

recovery lab – Lab should be equipped with right equipment and

forensic tools required for the investigation

Computer Forensics: Investigation Procedures and Response, Second Edition

12

© Cengage Learning 2017

Legal Considerations

• Investigator needs to have synchronization with the local district attorney

• Some important legal points an investigator should keep in mind are: – Ensuring the scope of the search – Checking for possible issues related to the federal

statutes applicable • Investigators should contact the legal authorities in

cases where the search cannot be limited

Computer Forensics: Investigation Procedures and Response, Second Edition

13

© Cengage Learning 2017

Investigating Methodology

• Methodology – Set of guidelines that is used to maintain

consistency – Can be very difficult to develop for computer

investigations because there are many variables in forensic cases

• Two things that can give foundation to foolproof analysis and case building: – Defining the methodology – Working accordingly

Computer Forensics: Investigation Procedures and Response, Second Edition

14

© Cengage Learning 2017

Investigating Methodology

• Standard steps when preparing a forensic case: – Initially assess the case – Determine a preliminary design or approach to the

case – Prepare a detailed design – Determine what resources are required – Obtain an evidence disk drive – Copy an evidence disk drive – Identify the risks involved – Minimize the risks

Computer Forensics: Investigation Procedures and Response, Second Edition

15

© Cengage Learning 2017

Investigating Methodology

• Standard steps when preparing a forensic case (cont’d): – Test the design – Analyze and recover the digital evidence – Investigate of the recovered data – Complete the case report – Critique the case

Computer Forensics: Investigation Procedures and Response, Second Edition

16

© Cengage Learning 2017

Evaluating the Case

• General steps: – Initially examine the investigator’s service request – Find the legal authority for the forensic examination

request – Ensure that the request for assistance is assigned – Provide the complete chain of custody – Check if forensic processes need to be performed

on the evidence – Check if there is the possibility to follow investigative

methods

Computer Forensics: Investigation Procedures and Response, Second Edition

17

© Cengage Learning 2017

Evaluating the Case

• General steps: – Identify the relevance of various peripheral

components – Establish the potential evidence being sought – Obtain additional details such as e-mail addresses,

the ISP used, and user names – Evaluate the skill levels of the users to identify their

expertise in destroying or concealing the evidence – Set the order of evidence examination – Identify whether additional personnel is required – Identify whether additional equipment is required

Computer Forensics: Investigation Procedures and Response, Second Edition

18

© Cengage Learning 2017

Warning Banners

Computer Forensics: Investigation Procedures and Response, Second Edition

19

Figure 3-1 An example of a warning banner that a user see when signing on to a system

© Cengage Learning 2017

Collecting the Evidence

• An investigator must seek permission to conduct a search at the site of a crime – From the judiciary branch of that particular location

• Computers and their related components can: – Determine the chain of events leading up to a crime – Provide the evidence required for a conviction

Computer Forensics: Investigation Procedures and Response, Second Edition

20

© Cengage Learning 2017

Obtaining a Search Warrant

• Search warrant – Written order issued by a judge – Directs a law enforcement officer to search for a

particular piece of evidence at a particular location • Successful computer search warrants should

include: – Particular object the investigator wants to seize – Search strategy used in the investigation

Computer Forensics: Investigation Procedures and Response, Second Edition

21

© Cengage Learning 2017

Obtaining a Search Warrant

• Search Warrant Purview: a warrant can be issued for: – An entire company – A floor of a company building – A room in a company building – A device – A car – A house – Any other company property

Computer Forensics: Investigation Procedures and Response, Second Edition

22

© Cengage Learning 2017

Preparing for Searches

• Prior to a judge issuing a search and seizure warrant for all or part of a target computer – Investigator needs to determine the computer’s

significance in the offense • Role of a computer in an offense:

– Tool of the offense – Repository of the offense

• Warrants should be issued with consideration to the role of the computer in the crime

Computer Forensics: Investigation Procedures and Response, Second Edition

23

© Cengage Learning 2017

Searches Without a Warrant

• In certain situations, searches performed without a warrant may be allowed – When destruction of evidence is imminent – If a person with authority has consented

Computer Forensics: Investigation Procedures and Response, Second Edition

24

© Cengage Learning 2017

Performing a Preliminary Assessment

• An investigator should perform a preliminary assessment to search for evidence

• After the assessment is over, the investigator needs to perform the following steps: – Take a snapshot of the crime scene before collecting

the evidence – Collect and seize the equipment used in committing

the crime – Document the items collected, such as floppy disks,

CDs, and DVDs

Computer Forensics: Investigation Procedures and Response, Second Edition

25

© Cengage Learning 2017

Examining and Collecting Evidence

• General steps: – Find the evidence – Discover the relevant data – Prepare an order of volatility

• Order of volatility can be: – Registers and cache – Routing tables – ARP cache – Process table – Kernel statistics and modules

Computer Forensics: Investigation Procedures and Response, Second Edition

26

© Cengage Learning 2017

Acquiring the Subject Evidence

• General steps: – Investigate the makeup of any storage device to

ensure that all space is accounted for – Capture the electronic serial number of the drive and

other user-accessible, host-specific data – Obtain the evidence using the appropriate tools

• Stand-alone duplication software • Forensic analysis software suites • Dedicated hardware devices

– Using sector-by-sector comparison, correlate the values in the evidence and the backup

Computer Forensics: Investigation Procedures and Response, Second Edition

27

© Cengage Learning 2017

Methods of Collecting Evidence

• Evidence is collected from a live computer by searching the following: – Process register – Virtual and physical memory – Network state – Running processes – Disks, tapes, and CD-ROMs – Paper printouts

Computer Forensics: Investigation Procedures and Response, Second Edition

28

© Cengage Learning 2017

Methods of Collecting Evidence

• Volatile sources and commands used to capture the evidence on live computers: – ps or the /proc file system – netstat – arp (ARP cache) – lsof (list of open files) – /dev/mem and /dev/kmem

• Computer forensic tools used for data collection: – Guidance Software’s EnCase – AccessData’s Forensic Toolkit

Computer Forensics: Investigation Procedures and Response, Second Edition

29

© Cengage Learning 2017

Securing the Computer Evidence

• Secure the evidence to prevent tampering – Involves retrieving all the information held on a

computer so that it can be used in the investigation • By securing the evidence, the investigator ensures

that it is not altered during the examination process • Best practices

– An empirically proven set of methods for performing a task in the best and most efficient way

Computer Forensics: Investigation Procedures and Response, Second Edition

30

© Cengage Learning 2017

Securing the Computer Evidence

• Steps to secure the digital evidence while collecting it at the crime scene: – Follow departmental guidelines when possible

• Otherwise, use A Guide for First Responders – Document and verify the hardware configuration of

the system to be examined – Disassemble the computer to be examined – Identify and document the internal storage devices

Computer Forensics: Investigation Procedures and Response, Second Edition

31

© Cengage Learning 2017

Securing the Computer Evidence

• Tampering can alter the evidence • Investigator must prevent anyone from tampering

with the evidence – Gather the evidence – Prepare the chain of custody

Computer Forensics: Investigation Procedures and Response, Second Edition

32

© Cengage Learning 2017

Processing Location Assessment

• The investigator needs to decide the best place to examine the evidence after accessing it

• Assessment considerations might include the following: – Time required to recover the evidence when onsite – Logistic and workforce concerns related to long-term

deployment – Business impact of a time-consuming search – Suitability of equipment, resources, media, training,

and experience for an onsite examination

Computer Forensics: Investigation Procedures and Response, Second Edition

33

© Cengage Learning 2017

Chain-of-Evidence Form

• Documents what has and has not been done with: – Original evidence – Any forensic copies of the evidence

• Information contained in this form: – Case number – Investigating organization – Investigator for the case – Nature of the case – Description of the evidence – Evidence recovered by

Computer Forensics: Investigation Procedures and Response, Second Edition

34

© Cengage Learning 2017

Chain-of-Evidence Form

• Information contained in this form: (cont’d) – Date and time – Location from where the evidence was recovered – Evidence processed by item number – Evidence placed in the locker – Item/evidence processed by/Disposition of

evidence/Date/Time – Page number – Name of vendor – Model or serial number

Computer Forensics: Investigation Procedures and Response, Second Edition

35

© Cengage Learning 2017

Examining the Digital Evidence

• The investigator should perform the examination process on a bit-stream copy – Rather than on the original computer

• While writing up documentation, the investigator must use an accurate system date and time – Inaccurate time and data information can change the

whole case and can contribute to losing the case

Computer Forensics: Investigation Procedures and Response, Second Edition

36

© Cengage Learning 2017

Understanding Bit-Stream Copies

• Bit-stream copy – Bit-by-bit copy of the original storage medium – Bit-streaming can create an exact image of a disk

• A backup copy is nothing but a compressed file stored in a folder

• Bit-stream image – A file that contains a duplicate copy of all the data on

a disk or disk partition • An investigator should copy the bit-stream image to

a target work disk – Identical in all aspects to the evidence disk

Computer Forensics: Investigation Procedures and Response, Second Edition 37

© Cengage Learning 2017

Imaging

• Investigator should analyze duplicate copy of any evidence

• To create a forensic copy of a floppy disk, the investigator should make a bit-stream data copy – Employ a specialized tool, such as the Digital

Intelligence Image utility • The bit-stream copy includes slack space

– Which is the space that exists between the end of a file and the end of the last cluster used by that file

Computer Forensics: Investigation Procedures and Response, Second Edition

38

© Cengage Learning 2017

Write Protection

• Write protection should be initiated, if available, to preserve and protect original evidence

• Examiner should consider creating a known value for the subject evidence – Prior to acquiring the evidence

• If hardware write protection is used: – Install a write-protection device – Boot the system with the examiner’s controlled

operating system

Computer Forensics: Investigation Procedures and Response, Second Edition

39

© Cengage Learning 2017

Write Protection

• If software write protection is used: – Boot the system with the examiner’s controlled

operating system – Activate write protection

• Retrieving deleted files – When files are deleted, the space they occupied

becomes free space – These files can be recovered if the free space is not

overwritten with a new file – Forensic tool used to retrieve such files: MS-DOS

tool from Digital Intelligence called DriveSpy Computer Forensics: Investigation Procedures and Response, Second Edition

40

© Cengage Learning 2017

Write Protection

• DriveSpy – A disk-forensic DOS tool designed to emulate and

extend the capabilities of DOS to meet forensic needs

– Creates direct disk-to-disk forensic duplicates – Can copy a range of sectors within or between

drives – Can process duplicate drives regardless of physical

drive geometry or sector translation differences • DriveSpy uses familiar DOS commands (cd, dir,

and others) to navigate the system Computer Forensics: Investigation Procedures and

Response, Second Edition 41

© Cengage Learning 2017

Write Protection

• DriveSpy operates in one of the following modes: – System mode – Drive mode – Part mode (also known as partition mode)

Computer Forensics: Investigation Procedures and Response, Second Edition

42

© Cengage Learning 2017

Evidence Assessment

• Consider the following while assessing evidence: – Prioritizing the evidence:

• Location of evidence at the crime scene • Stability of media to be examined

– Establishing how to document the – Evaluating storage locations for electromagnetic

interference – Determining the state of the evidence after

packaging, transport, or storage – Evaluating the necessity to provide a continuous

power supply to battery-operated devices Computer Forensics: Investigation Procedures and

Response, Second Edition 43

© Cengage Learning 2017

Evidence Examination

• For conducting examinations, examiners must: – Use accepted forensic procedures – Avoid using the original evidences

• Steps when conducting the evidence examination: – Preparation – Extraction

• Physical • Logical

Computer Forensics: Investigation Procedures and Response, Second Edition

44

© Cengage Learning 2017

Physical Extraction

• Physical extraction methods include: – Keyword searching, file carving, and extraction of:

• Partition table • Unused space on the physical drive

– Performing a keyword search across the physical drive

– File-carving utilities processed across the physical drive

– Examining the partition structure

Computer Forensics: Investigation Procedures and Response, Second Edition

45

© Cengage Learning 2017

Logical Extraction

• Extraction of the data from the drive is based on the file system(s) present on the drive – File slack: space that exists between the end of the

file and end of the last cluster used by that file • Steps may include:

– Extraction of the file system information – Data reduction to identify and eliminate known files – Extraction of files pertinent to the examination – Recovery of deleted files – Extraction of file slack – Extraction of unallocated space

Computer Forensics: Investigation Procedures and Response, Second Edition 46

© Cengage Learning 2017

Analysis of Extracted Data

• Data is extracted from: – Active files and deleted files – File slack and unallocated file space

• Data is used to find the following information: – Directory structure – File attributes – File names – Date and time stamps – File size – File location

Computer Forensics: Investigation Procedures and Response, Second Edition

47

© Cengage Learning 2017

Analysis of Extracted Data

• Characteristics of the data that can be analyzed: – Time frame – Data hiding – Application and file – Ownership and possession

• Analysis may require the following: – A review of the request for service – Legal authority for a search of the digital evidence

• Investigative leads • Analytical leads

Computer Forensics: Investigation Procedures and Response, Second Edition

48

© Cengage Learning 2017

Time-Frame Analysis

• Can contribute to associating events that occurred on a computer with an individual that is suspected of using that computer

• Methods: – Review the time stamps and date stamps that are

found in the file system metadata – Review the application logs that are found

Computer Forensics: Investigation Procedures and Response, Second Edition

49

© Cengage Learning 2017

Data-Hiding Analysis

• Data can be hidden on the storage devices of the computer

• Methods: – Identifying mismatches between the file headers and

the file extensions – Attempting to access all password-protected,

encrypted, and compressed files – Using steganography

• Steganography – The art and process of hiding information by

embedding messages in other, harmless messages Computer Forensics: Investigation Procedures and

Response, Second Edition 50

© Cengage Learning 2017

Application and File Analysis

• Results may provide important details, such as the proficiency of the user and the system’s capabilities

• Results may also show that additional steps need to be taken, such as: – Reviewing file names for relevance and patterns – Examining file content – Identifying the number and types of operating

systems – Correlating the files to the applications installed on

the target computer – Looking for similarities between files

Computer Forensics: Investigation Procedures and Response, Second Edition 51

© Cengage Learning 2017

Application and File Analysis

• Additional steps: (cont’d) – Correlating Internet history to cache files, and e-mail

files to e-mail attachments – Identifying unknown file types to determine their

value to the investigation – Identifying the presence of files in storage locations

other than the locations where the files are usually stored for a particular application

– Examining user-configuration settings – Analyzing file metadata

Computer Forensics: Investigation Procedures and Response, Second Edition

52

© Cengage Learning 2017

Ownership and Possession

• Factors that determine the knowledgeable possession of data: – Placing subject at the computer on a particular date

and at a specific time – Presence of files at locations other than the default – File itself may contain ownership details that might

be of evidentiary value – Presence of concealed data – Recovering password-protected or encrypted files

might reveal the possession of the files – Ownership details of file

Computer Forensics: Investigation Procedures and Response, Second Edition

53

© Cengage Learning 2017

Documenting and Reporting

• Reporting results of analysis and steps taken during analysis of digital evidence – A major responsibility of the investigator

• An investigator must document everything – Documentation should be a continuous process that

records the entire process of examination completely • General steps:

– Take notes when consulting with the case investigator and/or prosecutor

– Maintain a copy of the search authority with the case notes

Computer Forensics: Investigation Procedures and Response, Second Edition 54

© Cengage Learning 2017

Documenting and Reporting

• General steps: (cont’d) – Maintain initial request for assistance with the case

file – Maintain a copy of chain-of-custody documentation – Take notes detailed enough to allow complete

duplication of actions • Dates, times, and descriptions • Results of actions taken

– Document irregularities encountered and any actions taken regarding irregularities during the examination

– Include additional information Computer Forensics: Investigation Procedures and

Response, Second Edition 55

© Cengage Learning 2017

Documenting and Reporting

• General steps: (cont’d) – Document changes made to the system or network

by or at the direction of law enforcement or the examiner

– Document the operating system, relevant software versions, and current installed patches

– Document information obtained at the scene regarding remote storage, remote user access, and offsite backups

Computer Forensics: Investigation Procedures and Response, Second Edition

56

© Cengage Learning 2017

The Final Report

• The report should include: – Specific files related to the request – Other files, including hidden and deleted files that

support the findings – String searches, keyword searches, and text string

searches – Evidence found relating to the use or abuse of the

Internet – Graphic image analysis – Indicators of ownership, which could include

program registration data Computer Forensics: Investigation Procedures and

Response, Second Edition 57

© Cengage Learning 2017

The Final Report

• The report should include (cont’d): – Data analysis – Descriptions of relevant applications on the

examined items – Techniques used to hide or mask data, such as

encryption, steganography, hidden attributes, hidden partitions, and file name anomalies

– Supporting materials, such as the chain-of-custody documentation, digital copies of evidence, and printouts of specific evidence

Computer Forensics: Investigation Procedures and Response, Second Edition

58

© Cengage Learning 2017

Closing the Case

• Once evidence has been analyzed and retrieved, the investigator needs to prepare a final report – Includes everything the investigator did during the

course of the investigation and what he or she found • Investigator should document all proceedings

related to the investigation • Each organization has its own predefined template

for report writing • Log files generated by the forensic tools should be

attached to the formal report

Computer Forensics: Investigation Procedures and Response, Second Edition

59

© Cengage Learning 2017

Summary

• Securing computer evidence is the process by which all information held on a computer is retrieved to aid an investigation

• An organization’s banner should give clear and unequivocal notice to intruders that by signing on to the system

• A bit-stream copy is a bit-by-bit copy of the original storage medium and an exact copy of the original disk

Computer Forensics: Investigation Procedures and Response, Second Edition

60

© Cengage Learning 2017

Summary

• Examining the evidence depends on the type of case and the digital media available at the crime scene

• Digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of action

• Analysis is the process of interpreting the extracted data to determine their significance to the case

Computer Forensics: Investigation Procedures and Response, Second Edition

61