Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 4: Policies and Procedures

Objectives Explain the reasons for policies and procedures Formulate policies and procedures Identify the steps in a forensic examination Conduct an investigation Report the results of an investigation © Pearson Education Computer Forensics: Principles and Practices

Introduction In this chapter, you will be introduced to best practices and generally accepted guidelines and procedures used by computer forensics practitioners. These guidelines and procedures need to be customized to meet the requirements of individual cases. Introduce the chapter. © Pearson Education Computer Forensics: Principles and Practices

Reasons for Policies and Procedures Investigators establish generally accepted policies and procedures to ensure that: A benchmark is set for all cases as needed for external audits or other reference Processes throughout the case life-cycle are understood Technical procedures are well documented Integrity is automatically built into the handling of the case Different forensic investigators can work or collaborate on the same case without significant disruption The final report has a standard format Discuss some of the reasons why generally accepted policies and procedures are put into place. © Pearson Education Computer Forensics: Principles and Practices

Personnel Hiring Issues Characteristics important for members of a forensics unit include: Experience in computer forensics Education in relevant forensic areas Certifications in computer forensics Integrity and judgment Team player attitude Ability to adapt Ability to work under pressure Explain some of the issues of hiring computer forensics investigators. © Pearson Education Computer Forensics: Principles and Practices

Personnel Training Some training areas include: Computer forensics Network forensics PDA forensics Cellular phone forensics Legal issues Industry-specific issues Management training Investigative techniques Provide other areas that you know of that would be important for computer forensics investigators. You may want to have a discussion regarding the administrative issues that face a computer forensics lab. They are very similar to other organizations. © Pearson Education Computer Forensics: Principles and Practices

Pre-Case Cautions When deciding to take a case, consider whether your team can ensure the integrity of the case’s e-evidence Evidence value is time sensitive Links to digital information can degrade Discuss the cautions when taking a case and the time-sensitive nature of expediting the investigation. © Pearson Education Computer Forensics: Principles and Practices

Deciding to Take a Case Criteria for accepting a case include: Whether it is a criminal or civil case The impact on the investigating organization Whether the evidence is volatile or nonvolatile Legal considerations about data that might be exposed The nature of the crime Potential victims, such as children in child pornography cases Liability issues for the organization The age of the case Amount of time before the court date Discuss the reasons for taking a case. © Pearson Education Computer Forensics: Principles and Practices

FYI: Types of Data That Might Be Exposed in an Investigation Information that can be exposed in an investigation that is not within original scope: Personal financial data Personal e-mail E-mail or documents containing company secrets Instant messaging logs Privileged communications Proprietary information (corporate) Explain some of the information that might be exposed during the life of an investigation. © Pearson Education Computer Forensics: Principles and Practices

General Case Intake Form Checks for conflict of interest in the case Confirms the understanding and agreement among the parties involved and sets the stage for everything else about the case Chain of custody Basic evidence documentation Discuss the importance of a case intake form. Refer to the link of the special report by the Department of Justice. Also discuss the In Practice: Triple Constraint of an Honest Estimate, from the book. © Pearson Education Computer Forensics: Principles and Practices

Documenting the First Steps in the Case The importance of documenting first steps cannot be overemphasized Questions that should be asked before traveling to a site: What circumstances surrounding this case require a computer forensics expert? What types of hardware and software are involved? Discuss these questions regarding documenting the case. © Pearson Education Computer Forensics: Principles and Practices

Equipment in a Basic Forensics Kit Cellular phone Basic hardware toolkit Watertight/static-resistant plastic bags Labels Bootable media Cables (USB, printer, FireWire) Writing implements Laptop PDA High-resolution camera Hardware write blocker Luggage cart Flashlight Power strip Log book Gloves External USB hard drive Forensic examiner platform Outline the basic tools that need to be in a forensics toolkit. © Pearson Education Computer Forensics: Principles and Practices

Steps in the Forensic Examination Verify legal authority Collect preliminary data Determine the environment for the investigation Secure and transport evidence Acquire the evidence from the suspect system Discuss the steps in a forensics examination. These topics are expanded on the following slides. © Pearson Education Computer Forensics: Principles and Practices

Verify Legal Authority In a criminal case, authority to conduct search is up to local jurisdiction Search warrant required for search and seizure Search warrants may need to be amended or expanded Plain view doctrine allows for seizure of other materials that may be relevant In civil cases involving corporate equipment, investigators have greater leeway to seize Make sure that Fourth Amendment rights are protected in a criminal/civil case. © Pearson Education Computer Forensics: Principles and Practices

Collect Preliminary Data Questions Considerations What types of e-evidence am I looking for? Are you being tasked to look for photographs, documents, databases, spreadsheets, financial records, or e-mail? What is the skill level of the user in question? The more sophisticated the user, the more likely that he has the capability to alter or destroy evidence. What kind of hardware is involved? Is it an IBM-compatible computer or a Macintosh computer? Discuss the questions and considerations in collecting preliminary data. (Continued) © Pearson Education Computer Forensics: Principles and Practices

Collect Preliminary Data (Cont.) Questions Considerations What kind of software is involved? To a large degree, the type of software you are working with determines how you extract and eventually read the information. Do I need to preserve other types of evidence? Will you need to worry about fingerprints, DNA, or trace evidence? What is the computer environment like? Are you dealing with a network? If so, what are the physical/logical topology, OS, usernames and passwords? Continue the discussion of the questions and considerations in collecting preliminary data. © Pearson Education Computer Forensics: Principles and Practices

Determine the Environment for the Investigation Consider these factors when deciding where to conduct the examination: Integrity of the evidence collection process Estimation of the time required to do an examination Impact on the target organization Equipment resources Personnel considerations Discuss the factors that need to be considered when deciding where to conduct the examination. © Pearson Education Computer Forensics: Principles and Practices

Secure and Transport Evidence Document the evidence Locate all evidence to be seized Record a general description of the room: Type of media found All peripheral devices attached to the computer(s) Make, model, and serial numbers of devices seized What types of media devices are located in, near, or on the computer Note all wireless devices Make use of chain of custody forms Discuss the documentation of evidence in relation to securing and transporting that evidence. © Pearson Education Computer Forensics: Principles and Practices

Secure and Transport Evidence (Cont.) Tag the evidence Tag everything that will be transported back to the forensics lab All removable media All computer equipment Books/magazines Trash contents Peripherals Cables Notes/miscellaneous paper Discuss the tagging of evidence in relation to securing and transporting that evidence. Tag should include time, date, location, and general condition of the evidence © Pearson Education Computer Forensics: Principles and Practices

Secure and Transport Evidence (Cont.) Bag the evidence Small items go into small antistatic bags Larger items go into antistatic boxes Bagging evidence Protects the evidence Organizes the evidence Preserves other potential evidence Discuss the bagging of evidence and what items should be tagged. © Pearson Education Computer Forensics: Principles and Practices

Secure and Transport Evidence (Cont.) Transport the evidence Use these items to make transport easier Luggage cart Hand cart Bungee cords with hooks or clamps Duct tape Small cargo net Leather gloves Twist ties Plastic cable ties/PlastiCuffs Discuss the items that are useful in safely transporting the evidence. © Pearson Education Computer Forensics: Principles and Practices

Acquire the Evidence First document the hardware and software to be used in acquiring the evidence. Disassemble the suspect computer Acquire hard drive information BIOS information Boot sequence Time and date What hardware, software, and media will be used to acquire evidence? Discuss acquiring the hard drive and the disassembly process. Discuss the process of acquiring a hard drive image and the documentation of that process. © Pearson Education Computer Forensics: Principles and Practices

Acquire the Evidence (Cont.) Basic guidelines: Wipe all media you plan to use and use a standard character during that wipe Activate the write protection Perform a hash of the original drive and of the forensic copy to make sure you have a bit-for-bit copy Do a physical acquisition to capture space not accessible by the operating system Make a working or backup copy Explain the basic guidelines of acquisition. © Pearson Education Computer Forensics: Principles and Practices

Examining the Evidence There are no specific rules for examining evidence due to the variety of cases The experience level of the user determines how the examiner approaches the investigation of evidence Physical extraction or examination Logical extraction or examination Begin the discussion of examining the evidence. © Pearson Education Computer Forensics: Principles and Practices

Examining the Evidence (Cont.) Bottom-layer examinations File system details Directory/file system structure Operating system norms Other partition information Other operating systems (dual/multiboot systems) In the next few slides discuss the different layers of an investigation, from the bottom up. © Pearson Education Computer Forensics: Principles and Practices

Examining the Evidence (Cont.) Second-layer examinations Exclusion of known files using hash analysis File header and extension Obvious files of interest Third-layer examinations Extraction of password-protected and encrypted files Extraction of compressed and deleted files Link analysis © Pearson Education Computer Forensics: Principles and Practices

Examining the Evidence (Cont.) Fourth-layer examinations Extraction of unallocated space files of interest Extraction of file slack space files of interest Fifth-layer examinations Documentation should reflect how the evidence was extracted and where it has been extracted to for further analysis © Pearson Education Computer Forensics: Principles and Practices

The Art of Forensics: Analyzing the Data File analysis investigations include: File content Metadata Application files Operating system file types Directory/folder structure Patterns User configurations Begin your discussion of the art of forensics and analyzing the data. This is where forensic science skills move to forensic art skills, or the skills relating to knowing how people use technology in order to understand how to find information. © Pearson Education Computer Forensics: Principles and Practices

Analyzing the Data (Cont.) Data-hiding analyses should include: Password-protected files Check the Internet for password-cracking software Check with the software developer of the application Contact a firm that specializes in cracking passwords Compressed files Encrypted files Steganography Discuss the analysis of hidden data. © Pearson Education Computer Forensics: Principles and Practices

Analyzing the Data (Cont.) Time frame analysis should examine the following file attributes: Creation date/time Modified date/time Accessed date/time This information will allow you to begin to make a correlation between file and user. It does not establish that the suspect was actually the one sitting at the computer at the time of the crime or file creation/access/modification. © Pearson Education Computer Forensics: Principles and Practices

Reporting on the Investigation Last step is to finish documenting the investigation and prepare a report on the investigation Documentation should include information such as: Notes taken during initial contact with the lead investigator Any forms used to start the investigation A copy of the search warrant Documentation of the scene where the computer was located Procedures used to acquire, extract, and analyze the evidence Discuss what should be included in the final report of the investigation. Begin by emphasizing the importance of documenting each step of the investigation, from start to finish. © Pearson Education Computer Forensics: Principles and Practices

Reporting on the Investigation (Cont.) A detailed final report should be organized into the following sections: Report summary Body of the report Conclusion Supplementary materials Discuss the parts of the detailed final report. © Pearson Education Computer Forensics: Principles and Practices

Reporting on the Investigation (Cont.) The final detailed report should cover: Case investigator information, name and contact details The suspect user information Case numbers or identifiers used by your department Location of the examination Type of information you have been requested to find This is just a short list of the minimum information that should be included in the report. See the bullet list in the book. © Pearson Education Computer Forensics: Principles and Practices

Reporting on the Investigation (Cont.) The report summary should contain: Files found with evidentiary value Supporting files that support allegations Ownership analysis of files Analysis of data within suspect files Search types including text strings, keywords, etc. Any attempts at data hiding such as passwords, encryption, and steganography Discuss what should be included in the report summary. This is just a minimum list. © Pearson Education Computer Forensics: Principles and Practices

Summary Policies and procedures Are key to a consistent and methodical investigation Aid in the management of a computer forensics lab Should be flexible enough to adjust to each case © Pearson Education Computer Forensics: Principles and Practices

Summary (Cont.) Four main steps to any computer forensics investigation: Planning Acquisition Analysis Reporting Computer forensic analyst must: Keep up with the technology of the day Be a psychologist who understands how people use technology © Pearson Education Computer Forensics: Principles and Practices