Forensics

FRN 4301, Principles of Digital Forensics 1

Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to:

1. Analyze forensic procedures for investigation. 1.6 Explain major forensic methodologies. 1.7 Describe three common forensic certifications. 1.8 Describe evidence-handling tasks.

3. Explain methods for using forensic tools.

3.3 Exemplify major forensic software and how they are used.

Required Unit Resources Chapter 3: Forensic Methods and Labs

Unit Lesson

Forensic Management In Unit II, we looked at the different types of cybercrimes as well as what constitutes a computer crime. In this unit, you will learn about the management of forensic processes as well as why it is important to adhere to a set of accepted industry standards. The word forensic means to be associated with or utilized in a court or utilized publicly in administrative considerations (Awati & Lutkevich, 2021). Forensics is the use of applications related to scientific methods and techniques for the investigation of computer crime. Everything that a forensic investigator does must hold up in a court of law (Forensic Control, 2020). Computer forensics, also known as digital forensics or cyber forensics, is a set of application and analysis techniques that are used to gather and maintain evidence from any electronic (computing or digital) device used for presentation in a court of law (Forensic Control, 2020).

Principles of Good Forensic Management According to the Association of Chief Police Officers Good Practice Guide for Digital Evidence (i.e., ACPO Guide, as cited in Forensic Control, 2020), there are four main principles that are applicable to good forensic management.

• Take no action that modifies/changes data on any media used as evidence in a court of law.

• Any person accessing data seized as evidence in a legal proceeding must be competent enough to explain the relevance of their actions in a court of law.

• Preserve, through a record or audit trail, all processes applied to the acquisition of computer-based electronic evidence. Any independent third party should be able to follow the audit trail and achieve the same results.

• Any person in charge of the investigation takes responsibility to maintain and follow the law and these principles.

UNIT III STUDY GUIDE

Forensic Management

FRN 4301, Principles of Digital Forensics 2

UNIT x STUDY GUIDE

Title

Cybercrime and Evidence Criminal activities involving a computer and constituting cybercrime include stalking, threats, identity theft, child pornography, intellectual property theft, administrative investigation, bankruptcy investigations, credit card fraud, and more (Forensic Control, 2020). Digital evidence is any binary digit (bit) information stored on any type of digital medium or computer device (National Institute of Justice, n.d.). The digital evidence is one of two types listed below.

• Persistent data: This is data that remains intact when the computer is turned off (i.e., hard drives and removable storage devices).

• Volatile data: This is data that is lost when the computer is turned off (i.e., computer history, temporary files, and computer registry).

All evidence collected should be authentic, reliable, believable, complete, relevant, and admissible. Evidence can be obtained from various digital locations including internet history files, temporary internet files, instant messages/chat records, unallocated space, added/removed software, newsgroups, various postings, email records, file sharing, folder structure, audio and video files, databases, and viruses, Trojan horses, authentication and system logs, and spyware among many others.

The Five Stages of Forensic Examination

1. Identification: Identification involves managing the information from the crime scene to be investigated. It ensures that all of the resources are in place before the crime scene is set off (Carroll et al., 2008). Identification can be accomplished through the following actions:

• gathering as much information as one could in recorded form or hard copy of the convicted crime;

• getting firsthand information on the type of crime, people involved in the crime, location, and advice on what one can expect at the crime scene;

• collecting the facts, such as web pages, IP or MAC address, and location of the crime scene where applicable; and

• identifying the resources needed at the crime scene. 2. Collection: Collection involves making a justifiable decision on whether to acquire digital evidence and ensuring that all the steps involved in acquiring the digital evidence are followed using the correct process. The collection of evidence adheres to the following procedures:

• preparing the resources needed for collecting evidence,

• securing the crime scene,

• identifying the potential exhibits,

• securing the crime scene,

• documenting the crime scene,

• conducting the initial interviews at the crime scene,

• taking photographs and documents of information pertaining to the exhibit,

• labelling the devices and cables, and

• sealing the exhibit in proper packaging (Carroll et al., 2008).

FRN 4301, Principles of Digital Forensics 3

UNIT x STUDY GUIDE

Title

3. Preservation: Preservation of digital evidence begins with a chain of custody that provides tracking every step of the evidence changing hands to ensure the chain remains unbroken (Carroll et al., 2008). Preservation involves the following actions:

• preserving the exhibit from the point it is taken to the point it is returned to the investigation officer,

• maintaining the chain of custody at all times, and

• storing digital evidence that has not undergone analysis in a high-security room. 4. Analysis: Analysis is the extraction of information from digital media and involves the analysis and reconstruction of potential evidence retrieved (Carroll et al., 2008). Analysis involves the following actions:

• discussing the case objective between the investigation officer and the analyst before analyzing the exhibit,

• analyzing the case objective,

• analyzing the image copy of the exhibit in a controlled environment,

• reviewing data from unallocated spaces and slack files,

• ensuring the image copy and original exhibit have the same hash value,

• recording all the steps taken in a diary, and

• constructing a user profile in the case. 5. Presentation: The deduced findings are assembled in a presentable and understandable manner. There are several ways of presenting the findings; these could be animations, written reports, demonstrations, and slide presentations. All forensic results should be verifiable, repeatable, accurate, and impartial (Carroll et al., 2008). A thorough computer forensic methodology includes obtaining a search warrant, after which the crime scene is searched and evaluated. The evidence is collected and secured. Data is acquired from it, which is further analyzed to prepare the final report that is essential for testifying as an expert witness (Carroll et al., 2008).

Building a Computer Forensic Lab For the investigation of cybercrimes, a data recovery lab with the appropriate equipment and investigating team is necessary. The forensic lab should be maintained by trained individuals (BH Consulting, 2016). Creating a lab requires lab space, equipment, and forensic software. Lab Space Lab space should be placed inside a building with proper controls and resources. The lab should be secure and have adequate electricity and low humidity for the lab equipment. There should be desks for administrative work and work benches for forensic analysis. Every lab should have a good internet connection and proper access controls to restrict access to equipment, evidence, and forensic images (BH Consulting, 2016). Equipment The tools listed below can be found in a forensic laboratory (BH Consulting, 2016).

FRN 4301, Principles of Digital Forensics 4

UNIT x STUDY GUIDE

Title

Forensic Software A wide range of digital forensic software products are available on the market today. Some are general tools with a variety of functions. Others are more focused and limited in their purpose. These applications tend to focus on a specific type of evidence such as email or web/internet (BH Consulting, 2016). When selecting forensic software, you will need to decide between an open source and a commercial product. There are advantages and disadvantages to both. Factors such as cost, functionality, capabilities, and support are some of the criteria that can be used to make this decision (BH Consulting, 2016).

Write blockers

•A write blocker is a specialized type of computer hard disk controller that ensures there is read-only access to a computer hard drive without the risk of damaging the drive's information. This blocks the computer from writing on evidence. It is an essential tool in any computer forensics lab. It is very important not to write to a disk while imaging. This can destroy a case.

Drive kits

•This provides an easy and compact connection between an internal hard drive and the workstation. Drive kits should be tested before going on a field trip.

External storage

•External storage should have the highest transfer rate possible. USB 3.0 is currently one of the best options. External storage should have good heat dissipation so that it does not crash.

Screwdriver kits

•Tools are required for removing hard drives from laptops.

Antistatic bags

•These prevent static shock from killing the drive. These are cheap and easily available.

Adaptors

•The new hard drive interface may require an adaptor to bridge from the new interface to something that can be handled with the current equipment.

Network equipment

•This includes a network switch, cabling, and network cards for forensic work as well as the internet and firewall.

Tape drives

•These come in all types and sizes (i.e., DLT/SDLT, DDS/DAT, and LTO). They are used for reading and archiving work products.

Forensic workstation

•A dedicated workstation computer is required so that it can be used for processing evidence overnight. Another computer is probably needed to do other tasks while waiting for one to finish. All the processing, RAM, and storage space should be bought according to the budget.

FRN 4301, Principles of Digital Forensics 5

UNIT x STUDY GUIDE

Title

• CSI Linux is a focused Linux distribution for digital forensics developed as an open-source virtual machine appliance, so you can isolate your evidence to minimize cross-contamination. It is also available in a bootable triage disk image (restore to an external/internal SSD/HDD/USB drive) and a pre-built workstation.

• EnCase Forensic from Guidance Software (EnCase) works best for a trained forensics technician. This software is difficult to use for a beginner. EnCase works with Windows and Linux and costs nearly $3,000.

• Magnet AXIOM Cyber is a robust digital forensics and incident response solution for organizations that need to recover, analyze, and report on data from mobile, computer, cloud, and vehicle sources in one case file. Axiom is quickly becoming the de facto commercial tool in the industry.

• SANS Investigate Forensics Toolkit (SIFT/REMNUX) is an open source forensic software designed to run as a static virtual environment that one can optionally install to a drive. This tool is capable of file carving as well as analyzing file systems, web history, the recycle bin, and more. It can also analyze network traffic and volatile memory. SIFT works with both Linux, Windows, Solaris, and MAC. This is a free open source software tool that a beginner can use.

Both EnCase and Magnet Axiom are for commercial use and provide a multitude of tasks such as searching, sorting, reporting, password cracking, and email analysis, and thus help search email addresses, phone numbers, keywords, web addresses, data ranges, and file types (BH Consulting, 2016). Tableau provides forensic hardware tools and can be accessed at https://www.tableau.com/.

Media for Storing Evidence Multi-terabyte (TB) spinning disks (hard disk drives) are plentiful and inexpensive today. With 12 to 18 TB drives now becoming mainstream, one should get multiple drives for use in a RAID array. Basically, the rule of thumb is to get as much storage as one can afford. If more than one examiner is present in the lab, network storage (NAS, SAN) or even on-prem clouds can be used (BH Consulting, 2016). Having a trained team for a lab is necessary. The team should have members trained in computer hardware and networking, basic computer forensic knowledge, tool-specific training, and legal training. A laboratory should establish and follow a certain set of rules and policies for running the lab and examination of the crime. Documentation of the chain of custody should be done, which shows who has possession of each thing. It helps in tracking every movement and who has been in contact with it. It will help tell where a person got the evidence, who they got the evidence from, when they got the evidence, what they did with the evidence, and where the evidence has been stored. The original and derivative evidence handled by the examiner should be dated and marked with the case number. Examination notes and reports should be made, and a review of work done in the lab should be cataloged (BH Consulting, 2016). Computer forensics can be used to ensure the overall integrity of an organization’s computer system and networking infrastructure. Computer forensics also helps in capturing valuable information in a network failure and in post failure analyses. It helps in tracking cybercriminals and terrorists. Moreover, it provides a solution for various complicated cases such as cyberstalking, child pornography, and spamming of emails (BH Consulting, 2016).

Summary In this lesson, you learned about the importance of good digital forensic management. You also learned how forensics relates to the scientific procedures and methods used in acquiring evidence that can hold up in a court of law. Any procedure needs to allow an independent third party to reproduce the same steps and come to the same conclusion. If your forensic management procedures are ever called into question, your reputation as a digital forensic expert could suffer. As computers and digital devices have become increasingly involved in our daily lives, so have the threats to a person’s social and professional life expanded. Technology provides many targets of opportunity for cybercriminals, and digital forensics has a key role to play in bringing these cybercriminals to justice.

FRN 4301, Principles of Digital Forensics 6

UNIT x STUDY GUIDE

Title

References Awati, R., & Lutkevich, B. (2021, May 5). Computer forensics (cyber forensics). TechTarget.

https://www.techtarget.com/searchsecurity/definition/computer-forensics BH Consulting. (2016, December 19). How to build your first digital forensics lab on a budget.

http://bhconsulting.ie/how-to-build-your-first-digital-forensics-lab-on-a-budget/ Carroll, O. L., Brannon, S. K., & Song, T. (2008, January). Computer forensics: Digital forensic analysis

methodology. United States Attorney’s Bulletin, 56(1), 1–9. https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf

Forensic Control. (2020, November 26). The ultimate guide: What is computer forensics?

https://forensiccontrol.com/guides/what-is-computer-forensics/ National Institute of Justice. (n.d.). Digital evidence and forensics. Office of Justice Programs, U.S.

Department of Justice. https://www.nij.gov/topics/forensics/evidence/digital/pages/welcome.aspx

FRN 4301, Principles of Digital Forensics 1

Course Learning Outcomes for Unit III Upon completion of this unit, students should be able to:

1. Analyze forensic procedures for investigation. 1.6 Explain major forensic methodologies. 1.7 Describe three common forensic certifications. 1.8 Describe evidence-handling tasks.

3. Explain methods for using forensic tools.

3.3 Exemplify major forensic software and how they are used.

Required Unit Resources Chapter 3: Forensic Methods and Labs

Unit Lesson

Forensic Management In Unit II, we looked at the different types of cybercrimes as well as what constitutes a computer crime. In this unit, you will learn about the management of forensic processes as well as why it is important to adhere to a set of accepted industry standards. The word forensic means to be associated with or utilized in a court or utilized publicly in administrative considerations (Awati & Lutkevich, 2021). Forensics is the use of applications related to scientific methods and techniques for the investigation of computer crime. Everything that a forensic investigator does must hold up in a court of law (Forensic Control, 2020). Computer forensics, also known as digital forensics or cyber forensics, is a set of application and analysis techniques that are used to gather and maintain evidence from any electronic (computing or digital) device used for presentation in a court of law (Forensic Control, 2020).

Principles of Good Forensic Management According to the Association of Chief Police Officers Good Practice Guide for Digital Evidence (i.e., ACPO Guide, as cited in Forensic Control, 2020), there are four main principles that are applicable to good forensic management.

• Take no action that modifies/changes data on any media used as evidence in a court of law.

• Any person accessing data seized as evidence in a legal proceeding must be competent enough to explain the relevance of their actions in a court of law.

• Preserve, through a record or audit trail, all processes applied to the acquisition of computer-based electronic evidence. Any independent third party should be able to follow the audit trail and achieve the same results.

• Any person in charge of the investigation takes responsibility to maintain and follow the law and these principles.

UNIT III STUDY GUIDE

Forensic Management

FRN 4301, Principles of Digital Forensics 2

UNIT x STUDY GUIDE

Title

Cybercrime and Evidence Criminal activities involving a computer and constituting cybercrime include stalking, threats, identity theft, child pornography, intellectual property theft, administrative investigation, bankruptcy investigations, credit card fraud, and more (Forensic Control, 2020). Digital evidence is any binary digit (bit) information stored on any type of digital medium or computer device (National Institute of Justice, n.d.). The digital evidence is one of two types listed below.

• Persistent data: This is data that remains intact when the computer is turned off (i.e., hard drives and removable storage devices).

• Volatile data: This is data that is lost when the computer is turned off (i.e., computer history, temporary files, and computer registry).

All evidence collected should be authentic, reliable, believable, complete, relevant, and admissible. Evidence can be obtained from various digital locations including internet history files, temporary internet files, instant messages/chat records, unallocated space, added/removed software, newsgroups, various postings, email records, file sharing, folder structure, audio and video files, databases, and viruses, Trojan horses, authentication and system logs, and spyware among many others.

The Five Stages of Forensic Examination

1. Identification: Identification involves managing the information from the crime scene to be investigated. It ensures that all of the resources are in place before the crime scene is set off (Carroll et al., 2008). Identification can be accomplished through the following actions:

• gathering as much information as one could in recorded form or hard copy of the convicted crime;

• getting firsthand information on the type of crime, people involved in the crime, location, and advice on what one can expect at the crime scene;

• collecting the facts, such as web pages, IP or MAC address, and location of the crime scene where applicable; and

• identifying the resources needed at the crime scene. 2. Collection: Collection involves making a justifiable decision on whether to acquire digital evidence and ensuring that all the steps involved in acquiring the digital evidence are followed using the correct process. The collection of evidence adheres to the following procedures:

• preparing the resources needed for collecting evidence,

• securing the crime scene,

• identifying the potential exhibits,

• securing the crime scene,

• documenting the crime scene,

• conducting the initial interviews at the crime scene,

• taking photographs and documents of information pertaining to the exhibit,

• labelling the devices and cables, and

• sealing the exhibit in proper packaging (Carroll et al., 2008).

FRN 4301, Principles of Digital Forensics 3

UNIT x STUDY GUIDE

Title

3. Preservation: Preservation of digital evidence begins with a chain of custody that provides tracking every step of the evidence changing hands to ensure the chain remains unbroken (Carroll et al., 2008). Preservation involves the following actions:

• preserving the exhibit from the point it is taken to the point it is returned to the investigation officer,

• maintaining the chain of custody at all times, and

• storing digital evidence that has not undergone analysis in a high-security room. 4. Analysis: Analysis is the extraction of information from digital media and involves the analysis and reconstruction of potential evidence retrieved (Carroll et al., 2008). Analysis involves the following actions:

• discussing the case objective between the investigation officer and the analyst before analyzing the exhibit,

• analyzing the case objective,

• analyzing the image copy of the exhibit in a controlled environment,

• reviewing data from unallocated spaces and slack files,

• ensuring the image copy and original exhibit have the same hash value,

• recording all the steps taken in a diary, and

• constructing a user profile in the case. 5. Presentation: The deduced findings are assembled in a presentable and understandable manner. There are several ways of presenting the findings; these could be animations, written reports, demonstrations, and slide presentations. All forensic results should be verifiable, repeatable, accurate, and impartial (Carroll et al., 2008). A thorough computer forensic methodology includes obtaining a search warrant, after which the crime scene is searched and evaluated. The evidence is collected and secured. Data is acquired from it, which is further analyzed to prepare the final report that is essential for testifying as an expert witness (Carroll et al., 2008).

Building a Computer Forensic Lab For the investigation of cybercrimes, a data recovery lab with the appropriate equipment and investigating team is necessary. The forensic lab should be maintained by trained individuals (BH Consulting, 2016). Creating a lab requires lab space, equipment, and forensic software. Lab Space Lab space should be placed inside a building with proper controls and resources. The lab should be secure and have adequate electricity and low humidity for the lab equipment. There should be desks for administrative work and work benches for forensic analysis. Every lab should have a good internet connection and proper access controls to restrict access to equipment, evidence, and forensic images (BH Consulting, 2016). Equipment The tools listed below can be found in a forensic laboratory (BH Consulting, 2016).

FRN 4301, Principles of Digital Forensics 4

UNIT x STUDY GUIDE

Title

Forensic Software A wide range of digital forensic software products are available on the market today. Some are general tools with a variety of functions. Others are more focused and limited in their purpose. These applications tend to focus on a specific type of evidence such as email or web/internet (BH Consulting, 2016). When selecting forensic software, you will need to decide between an open source and a commercial product. There are advantages and disadvantages to both. Factors such as cost, functionality, capabilities, and support are some of the criteria that can be used to make this decision (BH Consulting, 2016).

Write blockers

•A write blocker is a specialized type of computer hard disk controller that ensures there is read-only access to a computer hard drive without the risk of damaging the drive's information. This blocks the computer from writing on evidence. It is an essential tool in any computer forensics lab. It is very important not to write to a disk while imaging. This can destroy a case.

Drive kits

•This provides an easy and compact connection between an internal hard drive and the workstation. Drive kits should be tested before going on a field trip.

External storage

•External storage should have the highest transfer rate possible. USB 3.0 is currently one of the best options. External storage should have good heat dissipation so that it does not crash.

Screwdriver kits

•Tools are required for removing hard drives from laptops.

Antistatic bags

•These prevent static shock from killing the drive. These are cheap and easily available.

Adaptors

•The new hard drive interface may require an adaptor to bridge from the new interface to something that can be handled with the current equipment.

Network equipment

•This includes a network switch, cabling, and network cards for forensic work as well as the internet and firewall.

Tape drives

•These come in all types and sizes (i.e., DLT/SDLT, DDS/DAT, and LTO). They are used for reading and archiving work products.

Forensic workstation

•A dedicated workstation computer is required so that it can be used for processing evidence overnight. Another computer is probably needed to do other tasks while waiting for one to finish. All the processing, RAM, and storage space should be bought according to the budget.

FRN 4301, Principles of Digital Forensics 5

UNIT x STUDY GUIDE

Title

• CSI Linux is a focused Linux distribution for digital forensics developed as an open-source virtual machine appliance, so you can isolate your evidence to minimize cross-contamination. It is also available in a bootable triage disk image (restore to an external/internal SSD/HDD/USB drive) and a pre-built workstation.

• EnCase Forensic from Guidance Software (EnCase) works best for a trained forensics technician. This software is difficult to use for a beginner. EnCase works with Windows and Linux and costs nearly $3,000.

• Magnet AXIOM Cyber is a robust digital forensics and incident response solution for organizations that need to recover, analyze, and report on data from mobile, computer, cloud, and vehicle sources in one case file. Axiom is quickly becoming the de facto commercial tool in the industry.

• SANS Investigate Forensics Toolkit (SIFT/REMNUX) is an open source forensic software designed to run as a static virtual environment that one can optionally install to a drive. This tool is capable of file carving as well as analyzing file systems, web history, the recycle bin, and more. It can also analyze network traffic and volatile memory. SIFT works with both Linux, Windows, Solaris, and MAC. This is a free open source software tool that a beginner can use.

Both EnCase and Magnet Axiom are for commercial use and provide a multitude of tasks such as searching, sorting, reporting, password cracking, and email analysis, and thus help search email addresses, phone numbers, keywords, web addresses, data ranges, and file types (BH Consulting, 2016). Tableau provides forensic hardware tools and can be accessed at https://www.tableau.com/.

Media for Storing Evidence Multi-terabyte (TB) spinning disks (hard disk drives) are plentiful and inexpensive today. With 12 to 18 TB drives now becoming mainstream, one should get multiple drives for use in a RAID array. Basically, the rule of thumb is to get as much storage as one can afford. If more than one examiner is present in the lab, network storage (NAS, SAN) or even on-prem clouds can be used (BH Consulting, 2016). Having a trained team for a lab is necessary. The team should have members trained in computer hardware and networking, basic computer forensic knowledge, tool-specific training, and legal training. A laboratory should establish and follow a certain set of rules and policies for running the lab and examination of the crime. Documentation of the chain of custody should be done, which shows who has possession of each thing. It helps in tracking every movement and who has been in contact with it. It will help tell where a person got the evidence, who they got the evidence from, when they got the evidence, what they did with the evidence, and where the evidence has been stored. The original and derivative evidence handled by the examiner should be dated and marked with the case number. Examination notes and reports should be made, and a review of work done in the lab should be cataloged (BH Consulting, 2016). Computer forensics can be used to ensure the overall integrity of an organization’s computer system and networking infrastructure. Computer forensics also helps in capturing valuable information in a network failure and in post failure analyses. It helps in tracking cybercriminals and terrorists. Moreover, it provides a solution for various complicated cases such as cyberstalking, child pornography, and spamming of emails (BH Consulting, 2016).

Summary In this lesson, you learned about the importance of good digital forensic management. You also learned how forensics relates to the scientific procedures and methods used in acquiring evidence that can hold up in a court of law. Any procedure needs to allow an independent third party to reproduce the same steps and come to the same conclusion. If your forensic management procedures are ever called into question, your reputation as a digital forensic expert could suffer. As computers and digital devices have become increasingly involved in our daily lives, so have the threats to a person’s social and professional life expanded. Technology provides many targets of opportunity for cybercriminals, and digital forensics has a key role to play in bringing these cybercriminals to justice.

FRN 4301, Principles of Digital Forensics 6

UNIT x STUDY GUIDE

Title

References Awati, R., & Lutkevich, B. (2021, May 5). Computer forensics (cyber forensics). TechTarget.

https://www.techtarget.com/searchsecurity/definition/computer-forensics BH Consulting. (2016, December 19). How to build your first digital forensics lab on a budget.

http://bhconsulting.ie/how-to-build-your-first-digital-forensics-lab-on-a-budget/ Carroll, O. L., Brannon, S. K., & Song, T. (2008, January). Computer forensics: Digital forensic analysis

methodology. United States Attorney’s Bulletin, 56(1), 1–9. https://www.justice.gov/sites/default/files/usao/legacy/2008/02/04/usab5601.pdf

Forensic Control. (2020, November 26). The ultimate guide: What is computer forensics?

https://forensiccontrol.com/guides/what-is-computer-forensics/ National Institute of Justice. (n.d.). Digital evidence and forensics. Office of Justice Programs, U.S.

Department of Justice. https://www.nij.gov/topics/forensics/evidence/digital/pages/welcome.aspx