Computer Forensics Investigation and The
Review Tool
1
by Anthony Ranasinghe
Proprietary | Kroll Ontrack
| Agenda
» Computer Forensic Investigations
» Computer Forensic Cases
» Computer Forensic Process
– Acquisition
– Analysis
» Case Study
» Review Tool
2
Proprietary | Kroll Ontrack
| Computer Forensics Investigation
What is a Computer Forensic Investigation?
» Captures, preserves, extracts, and analyzes digital evidence
» Main focus on electronic evidence and that it can be located and accessed
» Retrieval and analysis of evidence, report on findings
What makes data become Electronic Evidence?
» Electronic evidence needs to be captured in a manner that guarantees it is not altered in any way during, or subsequent to, the actual collection; and that provides a verifiable audit trail starting at the moment of capture.
3
Proprietary | Kroll Ontrack
| Computer Forensics Cases
Bribery / FCPA
Preservation of data
Termination for cause
Intellectual Property theft
Suspected computer misuse
Fraud / Executive misconduct
4
Proprietary | Kroll Ontrack
| Computer Forensics Process
5
Incident Response
Strategy Planning
Acquisition
Preservation
Analysis
Presentation
Review
Proprietary | Kroll Ontrack
| Computer Forensics Acquisition
Typical source of Digital Evidence
» Emails (local machine, server, webmail)
» Computer devices (desktop, laptop, external drive, USB stick)
» Network shares (individual or department shared drives on network)
» Mobile Devices
» Forensic Imaging of an entire hard drive or a partition
» Active file collection from PC media, server, network location or cloud
» Remote collection
6
Proprietary | Kroll Ontrack
| Computer Forensics Analysis
7
Recovery of Deleted Files
» File Carving
System Registry Files (Computer Log Record)
» Security Account Manager registry (SAM)
» USB device connection record
Link File Analysis
File Slack
Internet History Analysis
Proprietary | Kroll Ontrack
| Recovery of Deleted File
Files to be recovered
» Deleted without Recycle Bin, or when Recycle Bin has been emptied
» Removed by virus attack or power failure
» After the partition with the files was reformatted
» When the partition structure on a hard disk was changed or damaged
» Operating System Temporary files (Cookies, Log Files …etc)
File Carving - is the process of reassembling computer files from fragments in the absence of file system
metadata ( Content and context of a files)
8
Proprietary | Kroll Ontrack
| System Registry Files
Security Account Manager (SAM)
9
Proprietary | Kroll Ontrack
| System Registry Files
USB device connection record
10
Proprietary | Kroll Ontrack
| Computer Forensics Analysis
Link File Analysis
» There are no records of a file being copied
» If someone drags and drops a file onto a USB drive, there will be no record other than the USB device being plugged in.
» Possibility that someone copied a file to a USB and then opened it from the USB
» In this case there will be an LNK file (shortcut in Recent Documents) that is created pointing towards the file on the USB, Share drive, File Transfer Protocol.
11
Proprietary | Kroll Ontrack
| Computer Forensics Analysis
File Slack
» Space on the hard drive between the logical and physical file size. It means that anything that was in that space before becomes file slack.
» File slack can contain anything at all, from fragments of web pages, emails, and even complete small pictures, to junk text.
12
Proprietary | Kroll Ontrack
| Computer Forensics Analysis
Internet History Analysis
13
Proprietary | Kroll Ontrack
14
Proprietary | Kroll Ontrack
The Angry Employee
The Problem
An employee is fired. An inattentive supervisor gives him the opportunity to access his computer to remove ‘personal files’.
When the supervisors goes to access key files on the system – they all have mysteriously disappeared.
The Solution
File recovery
» Active and Deleted file list
Look for evidence
» Copying of files
» USB Device Analysis
» Any secure-delete or wiping software installed
Proprietary | Kroll Ontrack
Taken
The Problem
Five key employees all quit on the same day, leaving behind large bonus payments and secure jobs.
Rumor has it that they are starting their own firm.
Did they take company data with them?
The Solution
E-mail Search
» Recovery of deleted e-mails
Look for evidence
» Active File List
» USB device Analysis
» Link File Analysis
» Internet History Analysis
Forensics can find what was Copied or Removed
Review Tool
17
Review Tool | Legal Technologies | Asia Pacific
Proprietary | Kroll Ontrack
When is it used?
Litigation
» Patents
» Products Liability
» Bankruptcy, Contractual Disputes, etc
International Arbitrations and Mediations
Competition and Anti-Trust Investigations
» Price Fixing
» Abuse of Market Share
Internal Investigations
Proprietary | Kroll Ontrack
Data Filtering Overview
Key benefits:
» File identification
» Effective keyword searching
» Elimination of blank and duplicate documents
» Segregation of potentially privileged documents
» Flagging of very large files
Responsive Non-Responsive Privileged
Proprietary | Kroll Ontrack
E-Mail Analytics
Who Was Talking to Whom?
Proprietary | Kroll Ontrack
E-Mail Analytics – Subject Lines
What Were the E-Mails Talking About?
Proprietary | Kroll Ontrack
E-Mail Analytics
When Did the E-Mail Communications Occur?
Proprietary | Kroll Ontrack 23
Review Tool Interface
Proprietary | Kroll Ontrack 24
Projects will… » Achieve deadlines
» Be defensible
» Position you to win your case
Tool set will… » Maximize efficiency
» Enable continuous improvement
» Result in predictable lower costs
It’s our promise.
Proprietary | Kroll Ontrack
|For further inquiries
Anthony Ranasinghe
DID - +65 6645 4941
Mobile - + 65 8692 8293
Email – [email protected]
www.krollontrack.com
25