file000115
TRANSCRIPT
![Page 1: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/1.jpg)
Module II - Computer Forensics Investigation Process
![Page 2: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/2.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Howard Eisemann, CEO of Able Forensic Investigations Announces New TSCM Investigative Section
Source: http://www.webwire.com/
![Page 3: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/3.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Investigating Computer Crime• Steps to Prepare for Computer Forensic Investigation• Investigation Process
• Assess the Situation• Acquire the Evidence• Analyze the Evidence• Evidence Management• Report the Investigation• Present the Evidence to Court
This module will familiarize you with:
![Page 4: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/4.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Investigating Computer Crime
Acquire the Evidence Assess the Situation
Present the Evidence to Court
Report the Investigation
Evidence ManagementAnalyze the Evidence
Steps to Prepare for a Computer Forensic Investigation
![Page 5: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/5.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating Computer Crime
Determine if an incident has occurred
Find and interpret the clues left behind
Conduct preliminary assessment to search for the evidence
Search and seize the computer’s equipment
Collect evidence that can be presented in the court of law or at a corporate inquiry
![Page 6: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/6.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Before the Investigation
• Have work station and data recovery lab
• Build Investigating Team
• Enter into alliance with a local District Attorney
• Review Policies and Laws
• Notify Decision Makers and Acquire Authorization
• Assess Risks
• Build a Computer Investigation Toolkit
• Define the methodology
Before starting the investigation, make sure you:
![Page 7: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/7.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Build a Forensics Workstation
• Support hardware-based local and remote network drive duplication
• Validate the image and the file’s integrity• Identify the date and time when the files have been
modified, accessed, or created• Identify the deleted files• Support the removable media• Isolate and analyze free drive space
The computer forensics workstation should have facilities and tools to:
Computer forensics approach should be clearly defined before building the forensic work station
![Page 8: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/8.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensics Workstation
![Page 9: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/9.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Building the Investigation Team
Determine the person who should respond to an incident for a successful internal computer investigation
Identify team members and assign the responsibility to each team member
Assign one team member as the technical lead for the investigation
Keep the investigation team as small as possible to ensure confidentiality and to protect the organization against unwanted information leaks
Ensure that every team member has the necessary clearance and authorization to conduct assigned tasks
Engage a trusted external investigation team if your organization does not have personnel with the necessary skills
![Page 10: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/10.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
People Involved in Computer Forensics
• Gives legal adviceAttorney:
• Photographs the crime scene and the evidence gatheredPhotographer:
• Responsible for the measures to be taken when an incident occurs
Incident Responder:
• Responsible for authorization of a policy or procedure for the investigation process
Decision Maker:
![Page 11: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/11.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
People Involved in Computer Forensics (cont’d)
• Analyzes the incidents based on their occurrenceIncident Analyzer:
• Examines the evidence acquired and sorting the useful evidence
Evidence Examiner/Investigator:
• Documents all the evidence and the phases present in the investigation processEvidence Documenter:
• Manages the evidence in such a way that they are admissible in the court of lawEvidence Manager:
• Offers a formal opinion as a testimony in the court of lawExpert Witness:
![Page 12: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/12.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Review Policies and Laws
It is essential to understand the laws that apply to the investigation including the internal organization policies before starting the investigation process
Identify possible concerns related to applicable Federal statutes (such as the Electronic Communications Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (CCPA), both as amended by the USA PATRIOT ACT of 2001, and/or the Privacy Protection Act of 1980 (PPA)), State statutes, and local policies and laws
• Determine the extent of the authority to search• Determine the legal authorities for conducting an investigation• Consult with a legal advisor with issues raised for any improper handling
of the investigation• Ensure the customer’s privacy and confidentiality
The best practices in reviewing policies and laws include:
![Page 13: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/13.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensics Laws
18 USC §1029. Fraud and related activity in connection with access devices
18 USC §1030. Fraud and related activity in connection with computers
18 USC §1361-2 - Prohibits malicious mischief
Rule 402. Relevant Evidence Generally Admissible; Irrelevant Evidence Inadmissible
Rule 901. Requirement of Authentication or Identification
Rule 608. Evidence of Character and Conduct of Witness
Rule 609. Impeachment by evidence of conviction of crime
![Page 14: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/14.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensics Laws (cont’d)
Rule 502. Attorney-Client Privilege and Work Product; Limitations on Waiver
Rule 614. Calling and Interrogation of Witnesses by Court
Rule 701. Opinion Testimony by Lay Witnesses
Rule 705. Disclosure of Facts or Data Underlying Expert Opinion
Rule 1002. Requirement of Original
Rule 1003. Admissibility of Duplicates
![Page 15: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/15.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Notify Decision Makers and Acquire Authorization
• Obtain the authorization from an authorized decision maker to conduct the investigation
• Document all the events and decisions that occurred during the incident and incident response
• Depending on the scope of the incident and absence of any national security issues or life safety issues, the first priority is to protect the organization from further harm
Best practices to get authorization include:
Decision makers are the people who implements policies and procedures for handling an incident
Notify the decision maker to be authorized when there is no written incident response policies and procedures
After the authorization, assess the situation and define the course of action
![Page 16: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/16.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Risk Assessment
Identify the incident and the problems caused by it
Characterize the incident according to its severity
Determine the data loss or damage caused to the computer due to the incident
Determine the possibility of other devices and systems being affected by the incident
Break the communications with other devices to prevent the incident from spreading
![Page 17: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/17.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Build a Computer Investigation Toolkit
• A laptop computer with appropriate software tools • Operating systems and patches• Application media• Write-protected backup devices• Blank media• Basic networking equipment• Cables
A computer investigation toolkit contains:
Investigators need a collection of hardware and software tools to acquire data during an investigation
![Page 18: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/18.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Analyze the Data Acquire the Data
Assess Evidence and Case
Evaluate and
Secure the Scene
Collect the Evidence
Secure the Evidence
Obtain Search Warrant
![Page 19: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/19.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps to Prepare for a Computer Forensic Investigation
Suspend automated document destruction and recycling policies that may pertain to any relevant media or users at issue
Secure any relevant media – including hard drives, laptops, Blackberries, PDAs, cell phones, CD-ROMs, DVDs, USB drives, and MP3 players – the subject may have used
Do not turn the computer off or on, run any programs, or attempt to access data on a computer. An expert will have the appropriate tools and experience to prevent data from overwriting, damage from static electricity, or other spoliation concerns
![Page 20: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/20.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps to Prepare for a Computer Forensic Investigation (cont’d)
Gather a list of names, email addresses, and other identifying information about those with whom the subject might have communicated
Obtain passwords to access the encrypted or password-protected files, if possible
Once the machine is secured, obtain information about the machine, peripherals, and the network to which it is connected
Identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination
![Page 21: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/21.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Steps to Prepare for a Computer Forensic Investigation (cont’d)
Develop a list of key words or phrases to use when searching for relevant data
Maintain a "chain of custody" for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession
If the computer is accessed before the forensic expert is able to secure a mirror image, list the user(s) that accessed it, what files they accessed, and when this occurred, and find out why the computer was accessed
![Page 22: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/22.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Obtain Search Warrant
Analyze the Data Acquire the Data
Assess Evidence and Case
Evaluate and
Secure the Scene
Collect the Evidence
Secure the Evidence
![Page 23: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/23.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Obtain Search Warrant
To carry out an investigation, a search warrant from a court is required
Warrants can be issued for:
• Entire company, floor, room, a device, car, house , or any company owned property
Where will this search be conducted?
Is it practical to search the computer system on site, or must the examination be conducted at a field office, or laboratory?
If agents remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?
![Page 24: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/24.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Example of Search Warrant
![Page 25: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/25.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Searches Without a Warrant
"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David. 756 F. Supp. 1385, 1392 (D. Nev. l991)
Agents may search a place or object without a warrant or, for that matter, without probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)
![Page 26: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/26.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Evaluate and
Secure the Scene
Analyze the Data Acquire the Data
Assess Evidence and Case
Obtain Search Warrant
Collect the Evidence
Secure the Evidence
![Page 27: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/27.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Forensic Photography
Snapshots of the evidence and the incident prone areas need to be taken that help in the forensic process
Take the photographs of all the evidence or the one which helps in evidence finding
Label the photographed evidence according to the methodology
Photograph the evidence after the label is applied
Digital photography helps to capture, edit, and transfer the images faster
Digital photography helps in correcting the perspective of the image which is used in taking the measurements of the evidence
![Page 28: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/28.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gather the Preliminary Information at the Scene
• Date and time• Place and location of the incident• Evidence from a volatile system and non-volatile system• Details of the person (s) for the incidents• Name and identification of the person who can serve as a
potential witness
When an incident occurs, the following information should be gathered:
![Page 29: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/29.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder
The first person at the scene of the incidence should collect and preserve as much evidence as possible
Evidence on all sorts of devices present at the scene of the evidence should be collected
Follow a law while collecting the evidence or contact computer forensic examiner as soon as possible
![Page 30: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/30.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Collect the Evidence
Analyze the Data Acquire the Data
Assess Evidence and Case
Obtain Search Warrant
Evaluate and
Secure the Scene
Secure the Evidence
![Page 31: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/31.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect Physical Evidence
Collect electronic devices or any other media that is found at the crime scene
To preserve the integrity of the physical evidence, all the pieces of evidence collected should be handled carefully
The objects identified as evidence should be tagged
The tag provides detailed information about the evidence
The physical evidence includes:
• Removable media • Cables • Publications • All computer equipment, including peripherals • Items taken from the trash • Miscellaneous items
![Page 32: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/32.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collection Form
EVIDENCESubmitting Agency: ______________________________________________________
Case No: ______________________________________________________
Item No: ______________________________________________________
Date of Collection: ______________________________________________________
Time of Collection: ______________________________________________________
Collected by: ______________________________________________________
Badge No: ______________________________________________________
Description of Enclosed Evidence: ________________________________________________________________________________________________________________________________________________________________________________________________________________________
Location Where Collected:________________________________________________________________________________________________________________________________________________________________________________________________________________________
Type of Offense: ______________________________________________________
Victim’s Full Name: ______________________________________________________
Suspect’s Full Name: ___________________________________________________
![Page 33: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/33.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect Electronic Evidence
List the systems involved in the incident and from which systems evidence can be collected
For each system, obtain the relevant order of volatility
Record the extent of the system's clock drift
Collect the evidence from the people who are part of the incident
Capture the electronic serial number of the drive and other user-accessible, host-specific data
![Page 34: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/34.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect Electronic Evidence (cont’d)
• Office desktop computer/workstation • Notebook computer • Home computer • Computer of personal assistants/secretary/staff • Palmtop devices • Network file servers/mainframes/mini-computers
Data Files:
• System-wide backups (monthly/weekly/incremental) • Disaster recovery backups (stored off site) • Personal or “ad hoc” backups (look for diskettes and other
portable media)
Backup Tapes:
Electronic evidence consists of:
![Page 35: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/35.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collect Electronic Evidence (cont’d)
• Tape archives • Replaced/removed drives • Floppy diskettes and other portable media (e.g., CDs, Zip
cartridges)
Other Media Sources:
![Page 36: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/36.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Guidelines in Acquiring Evidence
Sample banners are used to record the system activities when used by the unauthorized user
In Warning banners, organizations give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring
The equipment is seized which is connected to the case, knowing the role of the computer which will indicate what should be taken
At the time of seizing process, the computer should not be powered down
Ensure that the examiner’s storage device is forensically clean when acquiring the evidence
Write protection should be initiated, if available, to preserve and protect the original evidence
![Page 37: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/37.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Secure the Evidence
Analyze the Data Acquire the Data
Assess Evidence and Case
Obtain Search Warrant
Evaluate and
Secure the Scene
Collect the Evidence
![Page 38: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/38.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Secure the Evidence
Secure the evidence without damaging the evidence’s identity
Place the evidence in a secured site by not allowing any intruders to access it
Maintain the chain of custody to properly track the evidence
Identify digital and non digital artifacts to separate the evidence according to their behavior
Maintain a log book at the entrance of the lab to log in the timings and name of the person visited
Place an intrusion alarm system in the entrance of the forensic lab
Contact law enforcement agencies to know how to preserve the evidence
![Page 39: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/39.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Management
Evidence management helps in protecting the true temperament of the evidence
This is achieved by proper handling and documentation of the evidence
The procedures used to protect the evidence and document when collecting and shipping are:
• The logbook of the project• A tag to uniquely identify and evidence• A chain of custody record
At the time of evidence transfer, both sender and receiver need to give the information about date and time of transfer of incident in the chain of custody record
![Page 40: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/40.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody
• Governs the collection, handling, storage, testing, and disposition of evidence
• Safeguards against tampering with or substitution of evidence• Documents that these steps have been carried out
Functions:
• Sample collector• Sample description, type, and number• Sampling data and location• Any custodians of the sample
The chain of custody form should identify:
Chain of custody is a legal document that demonstrates the progression of evidence as they travel from original evidence location to the forensic laboratory
![Page 41: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/41.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Form
efor Case #
Client Ref. #
Client Item # Description:
Make: Model: Serial # Other Identifying #
Client Item # Description:
Make: Model: Serial # Other Identifying #
Client Item # Description:
Make: Model: Serial # Other Identifying #
CHAIN OF CUSTODY
Client Item #’s Date/Time Released By Received By Reason
Date Name/Client Name/Client
Time Signature Signature
![Page 42: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/42.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Analyze the Data
Assess Evidence and Case
Acquire the DataSecure
the Evidence
Obtain Search Warrant
Evaluate and
Secure the Scene
Collect the Evidence
![Page 43: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/43.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Original Evidence Should NEVERbe Used for Analysis
![Page 44: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/44.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Duplicate the Data (Imaging)
Duplicate the data to preserve the original data
The data should be duplicated bit by bit to represent the same original data
The data can be duplicated either through hardware or software
The duplicated data is sent to the forensic lab
![Page 45: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/45.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Verify Image Integrity
Calculate and match the MD5 hash for the original evidence and the forensic image
Same hash values shows that the image is same as the evidence
Tools for calculating hash value:
• Md5sum• Free Hash
![Page 46: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/46.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Recover Lost or Deleted Data
• Partition Recovery Software • Data Recovery Wizard • PCInspector File Recovery• TestDisk and PhotoRec• ISOBuster• SoftPerfect File Recovery
Few software used to recover the data:
Collect the lost or deleted data for evidence in the internal and external devices
![Page 47: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/47.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Analyze the Data
Assess Evidence and Case
Acquire the DataSecure
the Evidence
Obtain Search Warrant
Evaluate and
Secure the Scene
Collect the Evidence
![Page 48: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/48.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Analysis
Thoroughly analyze the acquired data to draw conclusions related to the case
Data analysis techniques depend on the scope of the case or client’s requirements
This phase includes:
• Analysis of the file’s content, date, and time of file creation and modification, users associated with file creation, access, and file modification, and physical storage location of the file
• Timeline generation
Identify and categorize data in order of relevance
![Page 49: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/49.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Analysis Tools
Forensic tools help in sorting and analysis of a large volume of data to draw meaningful conclusions
Examples of data analysis tools:
• AccessData's FTK • Guidance Software's EnCase• Brian Carrier's Sleuth Kit
![Page 50: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/50.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Testify inthe Court as an Expert Witness
Prepare the Final Report
Assess Evidence and Case
Analyze the Data Acquire the DataSecure
the Evidence
Obtain Search Warrant
Evaluate and
Secure the Scene
Collect the Evidence
![Page 51: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/51.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Assessment
The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of action
Conduct a thorough assessment by reviewing the search warrant or other legal authorization, case detail, nature of the hardware and software, potential evidence sought, and the circumstances surrounding the acquisition of the evidence to be examined
![Page 52: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/52.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Assessment
Review the case investigator’s request for service
Identify the legal authority for the forensic examination request
Document the chain of custody
Discuss whether other forensic processes need to be performed on the evidence (e.g., DNA analysis, fingerprint, tool marks, trace, and questioned documents)
![Page 53: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/53.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Case Assessment (cont’d)
Discuss the possibility of pursuing other investigative avenues to obtain additional digital evidence (e.g., sending a preservation order to an Internet service provider (ISP), identifying remote storage locations, obtaining email)
Consider the relevance of peripheral components to the investigation; for example, in forgery or fraud cases, consider non-computer equipment such as laminators, credit card blanks, check paper, scanners, and printers (In child pornography cases, consider digital cameras)
Determine the potential evidence being sought (e.g., photographs, spreadsheets, documents, databases, and financial records)
Determine additional information regarding the case (e.g., aliases, email accounts, email addresses, ISP used, names, network configuration and users, system logs, passwords, user names) which may be obtained through interviews with the system administrator, users, and employees
![Page 54: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/54.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Processing Location Assessment
Assess the evidence to determine where to conduct the examination
It is preferable to complete the examination in a controlled environment, such as a dedicated forensic work area or laboratory
Whenever circumstances require an onsite examination to be conducted, attempt to control the environment
![Page 55: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/55.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Processing Location Assessment (cont’d)
• The time needed onsite to accomplish evidence recovery
• Logistic and personnel concerns associated with long-term deployment
• The impact on the business due to a lengthy search
• The suitability of the equipment, resources, media, training, and experience for an onsite examination
Assessment considerations include:
![Page 56: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/56.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Best Practices
Analyze the physical and logical evidence for their value to the case
Use a safe cabinet to secure the evidence
Examine network service logs for any events of interest
Examine the large amount of host data, where only a portion of that data might be relevant to the incident
Perform offline analysis on a bit-wise copy of the original evidence
Search the contents of all gathered files to help identify files that may be of interest
Review the time and date stamps in the file system metadata
Correlate the file headers to the corresponding file extensions to identify any mismatches
Review the file ‘s names for relevance and patterns
![Page 57: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/57.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Assess Evidence and Case
Testify inthe Court as an Expert Witness
Prepare the Final Report
Analyze the Data Acquire the DataSecure
the Evidence
Obtain Search Warrant
Evaluate and
Secure the Scene
Collect the Evidence
![Page 58: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/58.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation in Each Phase
• An initial estimate of the impact of the situation on the organization's business
• Summaries of interviews with users and system administrators• Outcomes of any legal and third-party interactions• Reports and logs generated by tools used during the assessment
phase• A proposed course of action
Access the data:
• Create a check-in/check-out list that includes information such as the name of the person examining the evidence, the exact date and time they check out the evidence and the exact date and time they return it
Acquire the data:
![Page 59: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/59.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documentation in Each Phase (cont’d)
• Document the information regarding the number and type of operating system(s)
• Document the file’s content• Document the result of correlation of files to the installed
applications• Document the user’s configuration settings
Analyze the data:
![Page 60: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/60.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gather and Organize Information
• Gather all documentation and notes from the Assess, Acquire, and Analyze phases
• Identify parts of the documentation that are relevant to the investigation
• Identify facts to support the conclusions you will make in the report
• Create a list of all evidence to be submitted with the report• List any conclusions you wish to make in your report• Organize and classify the information you gathered to
ensure that a you get a clear and concise report
Procedures used to gather and organize the required documentation are:
Documentations in each phase should be identified for their relevancy in the investigation
![Page 61: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/61.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing the Investigation Report
• Clearly explain the objective of the report, the target audience, and why the report was preparedPurpose of Report:
• List all authors and co-authors of the report, including their positions, responsibilities during the investigation, and contact details
Author of Report:
• Report writing is a crucial stage in the outcome of the investigation
• The report should be clear, concise, and written for the appropriate audience
Report Writing:
The information included in the report section are:
![Page 62: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/62.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing the Investigation Report (cont’d)
• Introduce the incident and explain its impact; the summary should explain clearly about what and how the incident occurred
Incident Summary:
• Provide descriptions of the evidence that was acquired during the investigation
Evidence:
• Provide a detailed description of what evidence was analyzed and the analysis methods that were used
• Explain the findings of the analysis• List the procedures that were followed during the investigation and any
analysis techniques that were used• Include proof of your findings, such as utility reports and log entries
Details:
![Page 63: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/63.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Writing the Investigation Report (cont’d)
• Summarize the outcome of the investigation• Cite specific evidence to prove the conclusion• The conclusion should be clear and unambiguous
Conclusion:
• Include any background information referred to throughout the report, such as network diagrams, documents that describe the computer investigation procedures used, and overviews of technologies that are involved in the investigation
• It is important that supporting documents provide enough information for the report reader to understand the incident as completely as possible
Supporting documents:
![Page 64: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/64.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report
![Page 65: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/65.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
![Page 66: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/66.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
![Page 67: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/67.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
![Page 68: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/68.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
![Page 69: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/69.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
![Page 70: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/70.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample Report (cont’d)
![Page 71: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/71.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Investigation Methodology
Assess Evidence and Case
Prepare the Final Report
Testify inthe Court as an Expert Witness
Analyze the Data Acquire the DataSecure
the Evidence
Obtain Search Warrant
Evaluate and
Secure the Scene
Collect the Evidence
![Page 72: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/72.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Expert Witness
• Investigate a crime• Evaluate the evidence• Educate the public and court • Testify in court
The role of an expert witness is to:
• Assist the court in understanding intricate evidence• Aid the attorney to get to the truth • Truthfully, objectively and fully express his or her expert
opinion, without regard to any views or influence
Role of expert witness in bringing evidence to court:
Expert witness is a person who has a thorough knowledge on his subject, making others to legally believe in his opinion
![Page 73: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/73.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Testifying in the Court Room
Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and sometimes-complex technology
• Familiarize with the usual procedures that are followed during a trial• The attorney introduces the expert witness with high regards• The opposing counsel may try to discredit the expert witness• The attorney would lead the expert witness through the evidence• Later, it is followed by the cross examination with the opposing counsel
Things that take place in the court room:
![Page 74: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/74.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Closing the Case
The investigator should include what was done and results in the final report
Basic report includes: who, what, when, where, and how
In a good computing investigation, the steps can be repeated and the result obtained are same every time
The report should explain the computer and network processes and inner working of the system
The investigator should provide explanation for various processes and its various interrelated components
![Page 75: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/75.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Maintaining Professional Conduct
Consider all the available facts that account to the crime scene
Ignore external biases to maintain the integrity of the fact-finding in all investigations
Keep the case confidential
Stay current on the latest technical changes in computer hardware and software, networking, and forensic tools
Maintain a chain of custody
Follow these criteria to maintain professional conduct:
• Credibility• Ethics and Morals• Standards of behavior• Maintain objectivity and confidentiality• Enriched technical knowledge• Conduct with integrity
![Page 76: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/76.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Investigating a Company Policy Violation
Employees using company’s resources for personal use not only waste company’s time and resources but they also violate the company’s policy
Trace such employees and educate them about the company’s policy, and if the problem persists, perform suitable action
Employees misusing resources can cost companies millions of dollars
Misusing resources includes:
• Surfing the Internet• Sending personal emails• Using company computers for personal tasks
While investigating, the business must continue with minimal interruption
![Page 77: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/77.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics Service Providers
Service Providers Links
CFS http://www.computer-forensic.com/
Lab systems http://www.labsystems.co.in/
DataBank Services http://www.databankservices.com/
Computer Legal Experts http://www.ontonet.com/default.asp
Data Triage Technologies http://www.datatriage.com/computer_forensics.php
New York Computer Forensic Services
http://www.newyorkcomputerforensics.com/
Global Digital Forensics http://www.evestigate.com/
![Page 78: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/78.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Collect evidence that can be presented in the court of law or at a corporate inquiry
Maintain a "chain of custody" for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession
Obtain proper written authorization from an authorized decision maker to conduct the computer investigation
The first person at the scene of the incidence should collect and preserve as much evidence as possible
![Page 79: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/79.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
![Page 80: File000115](https://reader038.vdocuments.site/reader038/viewer/2022110307/555b66f5d8b42a66338b508d/html5/thumbnails/80.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited