file000115

Module II - Computer Forensics Investigation Process

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Howard Eisemann, CEO of Able Forensic Investigations Announces New TSCM Investigative Section

Source: http://www.webwire.com/



Module Objective

• Investigating Computer Crime• Steps to Prepare for Computer Forensic Investigation• Investigation Process

• Assess the Situation• Acquire the Evidence• Analyze the Evidence• Evidence Management• Report the Investigation• Present the Evidence to Court

This module will familiarize you with:



Module Flow

Investigating Computer Crime

Acquire the Evidence Assess the Situation

Present the Evidence to Court

Report the Investigation

Evidence ManagementAnalyze the Evidence

Steps to Prepare for a Computer Forensic Investigation



Investigating Computer Crime

Determine if an incident has occurred

Find and interpret the clues left behind

Conduct preliminary assessment to search for the evidence

Search and seize the computer’s equipment

Collect evidence that can be presented in the court of law or at a corporate inquiry



Before the Investigation

• Have work station and data recovery lab

• Build Investigating Team

• Enter into alliance with a local District Attorney

• Review Policies and Laws

• Notify Decision Makers and Acquire Authorization

• Assess Risks

• Build a Computer Investigation Toolkit

• Define the methodology

Before starting the investigation, make sure you:



Build a Forensics Workstation

• Support hardware-based local and remote network drive duplication

• Validate the image and the file’s integrity• Identify the date and time when the files have been

modified, accessed, or created• Identify the deleted files• Support the removable media• Isolate and analyze free drive space

The computer forensics workstation should have facilities and tools to:

Computer forensics approach should be clearly defined before building the forensic work station



Forensics Workstation



Building the Investigation Team

Determine the person who should respond to an incident for a successful internal computer investigation

Identify team members and assign the responsibility to each team member

Assign one team member as the technical lead for the investigation

Keep the investigation team as small as possible to ensure confidentiality and to protect the organization against unwanted information leaks

Ensure that every team member has the necessary clearance and authorization to conduct assigned tasks

Engage a trusted external investigation team if your organization does not have personnel with the necessary skills



People Involved in Computer Forensics

• Gives legal adviceAttorney:

• Photographs the crime scene and the evidence gatheredPhotographer:

• Responsible for the measures to be taken when an incident occurs

Incident Responder:

• Responsible for authorization of a policy or procedure for the investigation process

Decision Maker:



People Involved in Computer Forensics (cont’d)

• Analyzes the incidents based on their occurrenceIncident Analyzer:

• Examines the evidence acquired and sorting the useful evidence

Evidence Examiner/Investigator:

• Documents all the evidence and the phases present in the investigation processEvidence Documenter:

• Manages the evidence in such a way that they are admissible in the court of lawEvidence Manager:

• Offers a formal opinion as a testimony in the court of lawExpert Witness:



Review Policies and Laws

It is essential to understand the laws that apply to the investigation including the internal organization policies before starting the investigation process

Identify possible concerns related to applicable Federal statutes (such as the Electronic Communications Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (CCPA), both as amended by the USA PATRIOT ACT of 2001, and/or the Privacy Protection Act of 1980 (PPA)), State statutes, and local policies and laws

• Determine the extent of the authority to search• Determine the legal authorities for conducting an investigation• Consult with a legal advisor with issues raised for any improper handling

of the investigation• Ensure the customer’s privacy and confidentiality

The best practices in reviewing policies and laws include:



Forensics Laws

18 USC §1029. Fraud and related activity in connection with access devices

18 USC §1030. Fraud and related activity in connection with computers

18 USC §1361-2 - Prohibits malicious mischief

Rule 402. Relevant Evidence Generally Admissible; Irrelevant Evidence Inadmissible

Rule 901. Requirement of Authentication or Identification

Rule 608. Evidence of Character and Conduct of Witness

Rule 609. Impeachment by evidence of conviction of crime



Forensics Laws (cont’d)

Rule 502. Attorney-Client Privilege and Work Product; Limitations on Waiver

Rule 614. Calling and Interrogation of Witnesses by Court

Rule 701. Opinion Testimony by Lay Witnesses

Rule 705. Disclosure of Facts or Data Underlying Expert Opinion

Rule 1002. Requirement of Original

Rule 1003. Admissibility of Duplicates



Notify Decision Makers and Acquire Authorization

• Obtain the authorization from an authorized decision maker to conduct the investigation

• Document all the events and decisions that occurred during the incident and incident response

• Depending on the scope of the incident and absence of any national security issues or life safety issues, the first priority is to protect the organization from further harm

Best practices to get authorization include:

Decision makers are the people who implements policies and procedures for handling an incident

Notify the decision maker to be authorized when there is no written incident response policies and procedures

After the authorization, assess the situation and define the course of action



Risk Assessment

Identify the incident and the problems caused by it

Characterize the incident according to its severity

Determine the data loss or damage caused to the computer due to the incident

Determine the possibility of other devices and systems being affected by the incident

Break the communications with other devices to prevent the incident from spreading



Build a Computer Investigation Toolkit

• A laptop computer with appropriate software tools • Operating systems and patches• Application media• Write-protected backup devices• Blank media• Basic networking equipment• Cables

A computer investigation toolkit contains:

Investigators need a collection of hardware and software tools to acquire data during an investigation



Computer Forensics Investigation Methodology

Testify inthe Court as an Expert Witness

Prepare the Final Report

Analyze the Data Acquire the Data

Assess Evidence and Case

Evaluate and

Secure the Scene

Collect the Evidence

Secure the Evidence

Obtain Search Warrant



Steps to Prepare for a Computer Forensic Investigation

Suspend automated document destruction and recycling policies that may pertain to any relevant media or users at issue

Secure any relevant media – including hard drives, laptops, Blackberries, PDAs, cell phones, CD-ROMs, DVDs, USB drives, and MP3 players – the subject may have used

Do not turn the computer off or on, run any programs, or attempt to access data on a computer. An expert will have the appropriate tools and experience to prevent data from overwriting, damage from static electricity, or other spoliation concerns



Steps to Prepare for a Computer Forensic Investigation (cont’d)

Gather a list of names, email addresses, and other identifying information about those with whom the subject might have communicated

Obtain passwords to access the encrypted or password-protected files, if possible

Once the machine is secured, obtain information about the machine, peripherals, and the network to which it is connected

Identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination



Steps to Prepare for a Computer Forensic Investigation (cont’d)

Develop a list of key words or phrases to use when searching for relevant data

Maintain a "chain of custody" for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession

If the computer is accessed before the forensic expert is able to secure a mirror image, list the user(s) that accessed it, what files they accessed, and when this occurred, and find out why the computer was accessed









Evaluate and

Secure the Scene


Secure the Evidence




To carry out an investigation, a search warrant from a court is required

Warrants can be issued for:

• Entire company, floor, room, a device, car, house , or any company owned property

Where will this search be conducted?

Is it practical to search the computer system on site, or must the examination be conducted at a field office, or laboratory?

If agents remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?



Example of Search Warrant



Searches Without a Warrant

"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David. 756 F. Supp. 1385, 1392 (D. Nev. l991)

Agents may search a place or object without a warrant or, for that matter, without probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)






Evaluate and

Secure the Scene





Secure the Evidence



Forensic Photography

Snapshots of the evidence and the incident prone areas need to be taken that help in the forensic process

Take the photographs of all the evidence or the one which helps in evidence finding

Label the photographed evidence according to the methodology

Photograph the evidence after the label is applied

Digital photography helps to capture, edit, and transfer the images faster

Digital photography helps in correcting the perspective of the image which is used in taking the measurements of the evidence



Gather the Preliminary Information at the Scene

• Date and time• Place and location of the incident• Evidence from a volatile system and non-volatile system• Details of the person (s) for the incidents• Name and identification of the person who can serve as a

potential witness

When an incident occurs, the following information should be gathered:



First Responder

The first person at the scene of the incidence should collect and preserve as much evidence as possible

Evidence on all sorts of devices present at the scene of the evidence should be collected

Follow a law while collecting the evidence or contact computer forensic examiner as soon as possible










Evaluate and

Secure the Scene

Secure the Evidence



Collect Physical Evidence

Collect electronic devices or any other media that is found at the crime scene

To preserve the integrity of the physical evidence, all the pieces of evidence collected should be handled carefully

The objects identified as evidence should be tagged

The tag provides detailed information about the evidence

The physical evidence includes:

• Removable media • Cables • Publications • All computer equipment, including peripherals • Items taken from the trash • Miscellaneous items



Evidence Collection Form

EVIDENCESubmitting Agency: ______________________________________________________

Case No: ______________________________________________________

Item No: ______________________________________________________

Date of Collection: ______________________________________________________

Time of Collection: ______________________________________________________

Collected by: ______________________________________________________

Badge No: ______________________________________________________

Description of Enclosed Evidence: ________________________________________________________________________________________________________________________________________________________________________________________________________________________

Location Where Collected:________________________________________________________________________________________________________________________________________________________________________________________________________________________

Type of Offense: ______________________________________________________

Victim’s Full Name: ______________________________________________________

Suspect’s Full Name: ___________________________________________________



Collect Electronic Evidence

List the systems involved in the incident and from which systems evidence can be collected

For each system, obtain the relevant order of volatility

Record the extent of the system's clock drift

Collect the evidence from the people who are part of the incident

Capture the electronic serial number of the drive and other user-accessible, host-specific data



Collect Electronic Evidence (cont’d)

• Office desktop computer/workstation • Notebook computer • Home computer • Computer of personal assistants/secretary/staff • Palmtop devices • Network file servers/mainframes/mini-computers

Data Files:

• System-wide backups (monthly/weekly/incremental) • Disaster recovery backups (stored off site) • Personal or “ad hoc” backups (look for diskettes and other

portable media)

Backup Tapes:

Electronic evidence consists of:



Collect Electronic Evidence (cont’d)

• Tape archives • Replaced/removed drives • Floppy diskettes and other portable media (e.g., CDs, Zip

cartridges)

Other Media Sources:



Guidelines in Acquiring Evidence

Sample banners are used to record the system activities when used by the unauthorized user

In Warning banners, organizations give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring

The equipment is seized which is connected to the case, knowing the role of the computer which will indicate what should be taken

At the time of seizing process, the computer should not be powered down

Ensure that the examiner’s storage device is forensically clean when acquiring the evidence

Write protection should be initiated, if available, to preserve and protect the original evidence






Secure the Evidence




Evaluate and

Secure the Scene




Secure the Evidence

Secure the evidence without damaging the evidence’s identity

Place the evidence in a secured site by not allowing any intruders to access it

Maintain the chain of custody to properly track the evidence

Identify digital and non digital artifacts to separate the evidence according to their behavior

Maintain a log book at the entrance of the lab to log in the timings and name of the person visited

Place an intrusion alarm system in the entrance of the forensic lab

Contact law enforcement agencies to know how to preserve the evidence



Evidence Management

Evidence management helps in protecting the true temperament of the evidence

This is achieved by proper handling and documentation of the evidence

The procedures used to protect the evidence and document when collecting and shipping are:

• The logbook of the project• A tag to uniquely identify and evidence• A chain of custody record

At the time of evidence transfer, both sender and receiver need to give the information about date and time of transfer of incident in the chain of custody record



Chain of Custody

• Governs the collection, handling, storage, testing, and disposition of evidence

• Safeguards against tampering with or substitution of evidence• Documents that these steps have been carried out

Functions:

• Sample collector• Sample description, type, and number• Sampling data and location• Any custodians of the sample

The chain of custody form should identify:

Chain of custody is a legal document that demonstrates the progression of evidence as they travel from original evidence location to the forensic laboratory



Chain of Custody Form

efor Case #

Client Ref. #

Client Item # Description:

Make: Model: Serial # Other Identifying #





CHAIN OF CUSTODY

Client Item #’s Date/Time Released By Received By Reason

Date Name/Client Name/Client

Time Signature Signature






Analyze the Data


Acquire the DataSecure

the Evidence


Evaluate and

Secure the Scene




Original Evidence Should NEVERbe Used for Analysis



Duplicate the Data (Imaging)

Duplicate the data to preserve the original data

The data should be duplicated bit by bit to represent the same original data

The data can be duplicated either through hardware or software

The duplicated data is sent to the forensic lab



Verify Image Integrity

Calculate and match the MD5 hash for the original evidence and the forensic image

Same hash values shows that the image is same as the evidence

Tools for calculating hash value:

• Md5sum• Free Hash



Recover Lost or Deleted Data

• Partition Recovery Software • Data Recovery Wizard • PCInspector File Recovery• TestDisk and PhotoRec• ISOBuster• SoftPerfect File Recovery

Few software used to recover the data:

Collect the lost or deleted data for evidence in the internal and external devices






Analyze the Data


Acquire the DataSecure

the Evidence


Evaluate and

Secure the Scene




Data Analysis

Thoroughly analyze the acquired data to draw conclusions related to the case

Data analysis techniques depend on the scope of the case or client’s requirements

This phase includes:

• Analysis of the file’s content, date, and time of file creation and modification, users associated with file creation, access, and file modification, and physical storage location of the file

• Timeline generation

Identify and categorize data in order of relevance



Data Analysis Tools

Forensic tools help in sorting and analysis of a large volume of data to draw meaningful conclusions

Examples of data analysis tools:

• AccessData's FTK • Guidance Software's EnCase• Brian Carrier's Sleuth Kit







Analyze the Data Acquire the DataSecure

the Evidence


Evaluate and

Secure the Scene




Evidence Assessment

The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of action

Conduct a thorough assessment by reviewing the search warrant or other legal authorization, case detail, nature of the hardware and software, potential evidence sought, and the circumstances surrounding the acquisition of the evidence to be examined



Case Assessment

Review the case investigator’s request for service

Identify the legal authority for the forensic examination request

Document the chain of custody

Discuss whether other forensic processes need to be performed on the evidence (e.g., DNA analysis, fingerprint, tool marks, trace, and questioned documents)



Case Assessment (cont’d)

Discuss the possibility of pursuing other investigative avenues to obtain additional digital evidence (e.g., sending a preservation order to an Internet service provider (ISP), identifying remote storage locations, obtaining email)

Consider the relevance of peripheral components to the investigation; for example, in forgery or fraud cases, consider non-computer equipment such as laminators, credit card blanks, check paper, scanners, and printers (In child pornography cases, consider digital cameras)

Determine the potential evidence being sought (e.g., photographs, spreadsheets, documents, databases, and financial records)

Determine additional information regarding the case (e.g., aliases, email accounts, email addresses, ISP used, names, network configuration and users, system logs, passwords, user names) which may be obtained through interviews with the system administrator, users, and employees



Processing Location Assessment

Assess the evidence to determine where to conduct the examination

It is preferable to complete the examination in a controlled environment, such as a dedicated forensic work area or laboratory

Whenever circumstances require an onsite examination to be conducted, attempt to control the environment



Processing Location Assessment (cont’d)

• The time needed onsite to accomplish evidence recovery

• Logistic and personnel concerns associated with long-term deployment

• The impact on the business due to a lengthy search

• The suitability of the equipment, resources, media, training, and experience for an onsite examination

Assessment considerations include:



Best Practices

Analyze the physical and logical evidence for their value to the case

Use a safe cabinet to secure the evidence

Examine network service logs for any events of interest

Examine the large amount of host data, where only a portion of that data might be relevant to the incident

Perform offline analysis on a bit-wise copy of the original evidence

Search the contents of all gathered files to help identify files that may be of interest

Review the time and date stamps in the file system metadata

Correlate the file headers to the corresponding file extensions to identify any mismatches

Review the file ‘s names for relevance and patterns








the Evidence


Evaluate and

Secure the Scene




Documentation in Each Phase

• An initial estimate of the impact of the situation on the organization's business

• Summaries of interviews with users and system administrators• Outcomes of any legal and third-party interactions• Reports and logs generated by tools used during the assessment

phase• A proposed course of action

Access the data:

• Create a check-in/check-out list that includes information such as the name of the person examining the evidence, the exact date and time they check out the evidence and the exact date and time they return it

Acquire the data:



Documentation in Each Phase (cont’d)

• Document the information regarding the number and type of operating system(s)

• Document the file’s content• Document the result of correlation of files to the installed

applications• Document the user’s configuration settings

Analyze the data:



Gather and Organize Information

• Gather all documentation and notes from the Assess, Acquire, and Analyze phases

• Identify parts of the documentation that are relevant to the investigation

• Identify facts to support the conclusions you will make in the report

• Create a list of all evidence to be submitted with the report• List any conclusions you wish to make in your report• Organize and classify the information you gathered to

ensure that a you get a clear and concise report

Procedures used to gather and organize the required documentation are:

Documentations in each phase should be identified for their relevancy in the investigation



Writing the Investigation Report

• Clearly explain the objective of the report, the target audience, and why the report was preparedPurpose of Report:

• List all authors and co-authors of the report, including their positions, responsibilities during the investigation, and contact details

Author of Report:

• Report writing is a crucial stage in the outcome of the investigation

• The report should be clear, concise, and written for the appropriate audience

Report Writing:

The information included in the report section are:



Writing the Investigation Report (cont’d)

• Introduce the incident and explain its impact; the summary should explain clearly about what and how the incident occurred

Incident Summary:

• Provide descriptions of the evidence that was acquired during the investigation

Evidence:

• Provide a detailed description of what evidence was analyzed and the analysis methods that were used

• Explain the findings of the analysis• List the procedures that were followed during the investigation and any

analysis techniques that were used• Include proof of your findings, such as utility reports and log entries

Details:



Writing the Investigation Report (cont’d)

• Summarize the outcome of the investigation• Cite specific evidence to prove the conclusion• The conclusion should be clear and unambiguous

Conclusion:

• Include any background information referred to throughout the report, such as network diagrams, documents that describe the computer investigation procedures used, and overviews of technologies that are involved in the investigation

• It is important that supporting documents provide enough information for the report reader to understand the incident as completely as possible

Supporting documents:



Sample Report



Sample Report (cont’d)








the Evidence


Evaluate and

Secure the Scene




Expert Witness

• Investigate a crime• Evaluate the evidence• Educate the public and court • Testify in court

The role of an expert witness is to:

• Assist the court in understanding intricate evidence• Aid the attorney to get to the truth • Truthfully, objectively and fully express his or her expert

opinion, without regard to any views or influence

Role of expert witness in bringing evidence to court:

Expert witness is a person who has a thorough knowledge on his subject, making others to legally believe in his opinion



Testifying in the Court Room

Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and sometimes-complex technology

• Familiarize with the usual procedures that are followed during a trial• The attorney introduces the expert witness with high regards• The opposing counsel may try to discredit the expert witness• The attorney would lead the expert witness through the evidence• Later, it is followed by the cross examination with the opposing counsel

Things that take place in the court room:



Closing the Case

The investigator should include what was done and results in the final report

Basic report includes: who, what, when, where, and how

In a good computing investigation, the steps can be repeated and the result obtained are same every time

The report should explain the computer and network processes and inner working of the system

The investigator should provide explanation for various processes and its various interrelated components



Maintaining Professional Conduct

Consider all the available facts that account to the crime scene

Ignore external biases to maintain the integrity of the fact-finding in all investigations

Keep the case confidential

Stay current on the latest technical changes in computer hardware and software, networking, and forensic tools

Maintain a chain of custody

Follow these criteria to maintain professional conduct:

• Credibility• Ethics and Morals• Standards of behavior• Maintain objectivity and confidentiality• Enriched technical knowledge• Conduct with integrity



Investigating a Company Policy Violation

Employees using company’s resources for personal use not only waste company’s time and resources but they also violate the company’s policy

Trace such employees and educate them about the company’s policy, and if the problem persists, perform suitable action

Employees misusing resources can cost companies millions of dollars

Misusing resources includes:

• Surfing the Internet• Sending personal emails• Using company computers for personal tasks

While investigating, the business must continue with minimal interruption



Computer Forensics Service Providers

Service Providers Links

CFS http://www.computer-forensic.com/

Lab systems http://www.labsystems.co.in/

DataBank Services http://www.databankservices.com/

Computer Legal Experts http://www.ontonet.com/default.asp

Data Triage Technologies http://www.datatriage.com/computer_forensics.php

New York Computer Forensic Services

http://www.newyorkcomputerforensics.com/

Global Digital Forensics http://www.evestigate.com/



Summary

Collect evidence that can be presented in the court of law or at a corporate inquiry

Maintain a "chain of custody" for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession

Obtain proper written authorization from an authorized decision maker to conduct the computer investigation

The first person at the scene of the incidence should collect and preserve as much evidence as possible

file000115

Technology

investigation evidence

eccouncil copyright

evidence evidence management

computer investigation

investigation consult

evidence steps

computer forensics workstation

court of law evidence