Computer Forensic Methodology

and Process

2.1 Internet Fundamental

2.2 Application Address

2.3 Dial-up Session

Tracing Email and New Postings

2.1 Internet Fundamental

2.2 Application Address

Why is Application Evidence

important?

In the legal world, Evidence is

EVERYTHING.

Evidence is used to establish facts.

The Forensic Examiner is not biased.

Who are the Victims in

Application Address?

Private Business

Government

Private Individuals

Types of Forensic Requests

Intrusion Analysis

Damage Assement

Suspect Examination

Tool Analysis

Log File Analysis

Evidence Search

A Dial-Up Session

Now that you have an understanding of some Internetworking basics, let's take a look at how a typical Internet dial-up session works. When you dial to an ISP with a modem, you might use a layer 3 protocol called Point to Point Protocol (PPP), layer 3 is the network layer, and in the case of a dial-up connection, PPP replaces IP.

Connectivity is not automatic, though. A dial-up session must first be authenticated, and then an IP address is assigned. The modem at the ISP's

Point of

2.4 Tracing Email and Netw

Posting File Recovery

Deleted Files

Hidden Files

Slack Space

Bad Blocks

Steganography

X-Drives

NTFS Streams

Evidence Search

Image Files

Software applications

Deleted Files

Hidden Files

Encrypted Files

Hidden partitions

Keyword Search

Known Remote Access Tools

Forensics Process

Preparation

Protection

Imaging

Examination

Documentation

Preparation Confirm the authority to conduct analysis/search

of media.

Verify the purpose of the analysis and the clearly

defined desired results.

Ensure that sterile media is available and utilized

for imaging. (ie..Free of virus, Non-essential files,

and verified before use.)

Ensure that all software tools utilized for the

analysis are tested and widely accepted for use in

the forensics community.

Legal Overview

Employer Searches in Private-Sector Workplaces

Warrantless workplace searches by private

employers rarely violate the Fourth Amendment. So long

as the employer is not acting as an instrument or agent of

the Government at the time of the search, the search is a

private search and the Fourth Amendment does not

apply. See Skinner v. Railway Labor Executives Assn,

489 U.S. 602, 614 (1989).

Consult with your Legal Counsel

Protection

Protect the integrity of the evidence.

Maintain control until final disposition.

Prior to Booting target computer,

DISCONNECT HDD and verify CMOS.

When Booting a machine for Analysis,

utilize HD Lock software.

Typical CBD Files

Imaging

Utilize disk imaging software to make an

exact image of the target media. Verify the

image.

When conducting an analysis of target

media, utilize the restored image of the

target media; never utilize the actual target

media.

Imaging Software

Examination

The Operating System

Services

Applications/processes

Hardware

LOGFILES!

System, Security, and Application

File System

Examination Continued

Deleted/Hidden Files/NTFS Streams

Software

Encryption Software

Published Shares/Permissions

Password Files

Off-Site Storage

FTP Links

FTP Logs

Shares on internal networks

Documentation

Document EVERYTHING

Reason for Examination

The Scene

Utilize Screen Capture/Copy Suspected

files

All apps for Analysis/apps on Examined

system.

Closing

Forensic Techniques are based on the File

System of the media to be examined.