SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 3 Computer Investigation Process Mohd Taufik Abdullah Department of Computer Science Faculty of Computer Science and Information Technology University Putra of Malaysia Portions of the material courtesy Professor EC-Council

Learning Objectives Explain how to prepare a computer investigation Apply a systematic approach to an investigation Describe procedures for corporate high-tech investigations Explain requirements for data recovery workstations and software Describe how to conduct an investigation Explain how to complete and critique a case

Chapter 3 Outline 3. Computer Investigation Process 3.1. Introduction 3.2. Investigating Computer Crime 3.3. Investigating Company Policy Violations 3.4. Conducting a Computer Forensic Investigation

3.1 Introduction

3.1 Introduction Computer forensics differs from other forensic science Electronic evidence is collected and examined Although fingerprints or other evidence may also be obtained from the devices collected at a crime scene, a computer forensic technician will use specialized methods, techniques, and tools to acquire data stored on digital storage media.

3.1 Introduction (Cont.) Once the data is acquired from a device, the computer forensic technician will then examine it to identify which files, folders, or information may be useful as evidence, and can provide facts about the case. Although computer forensics is commonly used in criminal cases, it may also be used in civil disputes or corporate investigations, such as

3.1 Introduction (Cont.) When internal policies have been violated , for example When an employee is suspected of using computing to perform some action that violates policies, the files, e- mail, and other data on the computer may be inspected. Because there is the possibility that the violations could lead to criminal charges or civil actions against the employee, it is important that forensic procedures are followed.

3.1 Introduction (Cont.) Collecting such evidence requires following established procedures, and can take considerable amounts of time to ensure it is collected correctly. Because it may reveal the identity of a culprit and be used to establish the guilt or innocence of people, it is vital that the data aren’t modified as they are acquired, or altered afterwards when the data are examined. Any actions and documented in case this information is required in court.

3.1 Introduction (Cont.) Files stored on computers are often used in place of other record systems, and may contain a significant amount of information that can be employed to convict a suspect or prove their innocence. For example, in homicide investigation, A suspect may have written about their plains in a diary on the computer, or a blog on the Internet.

3.1 Introduction (Cont.) Investigating computer crime Determine if there has been an incident Find and interpret the clues left behind Do preliminary assessment to search for the evidence Search and seize the computer equipments

3.2 Investigation Computer Crime

3.2.1 How an Investigation Starts Plan your investigation A basic investigation plan should include the following activities: Acquire the evidence Complete an evidence form and establish a chain of custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container Prepare a forensics workstation Obtain the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools

3.2.1 How an Investigation Starts (Cont.) An evidence custody form helps you document what has been done with the original evidence and its forensics copies Two types Single-evidence form Lists each piece of evidence on a separate page Multi-evidence form

3.2.1 How an Investigation Starts (Cont.)

3.2.1 How an Investigation Starts (Cont.)

3.2.1 How an Investigation Starts (Cont.) When crimes are committed using computers, often the only evidence available to prosecute the person who committed the offense format. Illegal images will only be stored on a hard disk or other media Proof of an intruder’s activities may be stored in log files

3.2.1 How an Investigation Starts (Cont.) Documents containing evidence of the crime are only available by investigating computers used in the crime or Those subjected to the crime By examining the digital contents of these computers, an investigation can reach a successful conclusion: Prosecuting the culprit Using information acquired from investigation to make existing systems more secure.

3.2.1 How an Investigation Starts (Cont.) Investigations always start with a crime being committed and someone noticing it. For an investigation to begin, someone must notice the crime has happened and report it to the appropriate authorities. If no complaint is made, the person gets away with the crime. The key role in any investigation is the complainant (plantiff)

3.2.1 How an Investigation Starts (Cont.) People typically perform three major roles when conducting an investigation.These roles are: First Responder Investigator Crime Scene Technician First responder (a complainant) Identifies and protects crime scene Preserves volatile evidence

3.2.1 How an Investigation Starts (Cont.) Investigator (may be a member of law enforcement or the computer incident response team) Establishes Chain of Command Conducts search of crime scene Maintains integrity of evidence

3.2.1 How an Investigation Starts (Cont.) Crime scene technician (individuals who have been trained in computer forensics) Preserves volatile evidence and duplicates disks Shuts down systems for transport Tags and logs evidence Packages and transports evidence Processes evidence

3.2.2 Investigation Methodology Investigation methodology is the practices, procedures, and techniques used to collect, store, analyze, and present information and evidence that is obtained through a computer forensics investigation. The individual steps to perform these tasks may vary from case to case and depend on the types of software and equipment used Common practices will always be consistent.

3.2.2 Investigation Methodology (Cont.) The methodology of a computer forensics investigation can be divided into three basic stages: Acquisition Authentication Analysis

3.2.2 Investigation Methodology (Cont.) Acquisition The act or process of gathering information and evidence The evidence in computer forensics is the data stored on the computer and not the computer that is been seized. The data will be used to provide insight into the detail of a crime or other incident, and be used as evidence to convict a suspect. Make an exact copy of everything stored on the hard disk.

3.2.2 Investigation Methodology (Cont.) Authentication A process of ensuring that the acquired evidence is the same as the data that was originally seized. If the data that’s been acquired from a computer were corrupted, modified, or missing from the imaging process, it would not only affect your ability to accurately examine the machine’s contents, but could also make all of the evidence you find on the computer inadmissible in court.

3.2.2 Investigation Methodology (Cont.) Analysis A process of examining and evaluating information. When examining computer files, it is vital that they aren’t modified in any way. This not only refers to changing the information in the file itself (such as by accidentally changing the values entered in a spreadsheet), but also modifying the properties of the file. For example, open a file could change the date and time property that shows when the file was last accessed.

3.2.3 The Role of Evidence Identifies what evidence is present, and where it is located Investigators must follow the rules of evidence depending on the laws of the locality where the crime has been committed For example, if someone broke into server room and changed permissions on the server – the room and the server would be where you would find evidence. Identifies how the evidence can be recovered. Photographs the screen of a computer to record any volatile data displayed Collects backup media

3.2.3 The Role of Evidence (Cont.) The finding from evidence admitted in a criminal case can be used in a civil court and vice versa The latest rules regarding digital evidence are updated in the US Department of Justice web site www.usdoj.gov.

3.2.4 Securing Evidence Securing evidence is a process that begins when a crime is first suspected, and continues after examination has been completed. If a trial, civil suit, or disciplinary hearing has ended, the evidence must remain secure in case of an appeal or other processes. The integrity of evidence must be retained, so that original evidence is preserved in a state as close as possible to when it was initially acquired.

3.2.4 Securing Evidence (Cont.) If evidence are lost, altered, or damaged, then you may not be able to even mention it in court The credibility of how evidence was collected and examined may be called into question, making other pieces of evidence inadmissible as well Evidence acquired from the crime scene depends upon the nature of the case and the alleged crime or violation.

3.2.4 Securing Evidence (Cont.) Standard tools to help secure at a crime scene include: Digital camera • Screwdriver Sketchpad • Evidence bags Pencils • Needle-nose pliers Tape • Bolt cutters Gloves

3.2.4 Securing Evidence (Cont.) Evidence for a case may include an entire computer and associated media includes: Securing the crime scene Volatile evidence (lost when a system is powered off or if power is disrupted), order of volatility as Registers and cache Routing tables, ARP cache, process tables, and kernel statistics Contents of system memory Temporary file systems Data on disk

3.2.4 Securing Evidence (Cont.) Sterilize all the media to be used in the examination process Enter the crime scene, take snapshot of the scene and then carefully scan the data sources Retain and document the state and integrity of items at the crime scene  

3.2.4 Securing Evidence (Cont.) Taking custody of the entire computer including hardware peripherals such keyboard, mouse and monitor. All floppy diskettes and other removable media must be confiscated and taken to the forensic lab, for preservation and duplication Use evidence bags to secure and catalog the evidence Use computer safe products Antistatic bags Antistatic pads

3.2.4 Securing Evidence (Cont.) Use evidence tape to seal all openings Floppy disk or CD/VCD drives USB drive Power supply electrical cord Write your initials on tape to prove that evidence has not been tampered with Consider computer specific temperature and humidity ranges Use well padded containers Transport the evidence to the forensic facility

3.2.5 Chain of Evidence Form Also known as chain of custody Route the evidence takes from the time you find it until the case is closed or goes to court Important because It proves where a piece of evidence was at any given time and who was responsible for it. You can establish that the integrity of evidence was not compromised.

3.2.5 Chain of Evidence Form (Cont.) Example

3.2.6 Before Investigating Following points should be kept in mind before starting the investigation: Have skilled professionals Work station and data recovery lab Alliance with a local District Attorney Define the methodology

3.2.6 Before Investigating (Cont.) When a crime does occur, certain actions must also be taken before attempting to acquire evidence from a machine Preparing for an investigation Interviewing Search warrants

3.2.6 Before Investigating (Cont.) Preparing for an investigation Following points need to be considered: Good understanding of the technical, legal, and evidentiary aspects of computers and networks Proper methodology Steps for collecting and preserving the evidence Steps for performing forensic analysis

3.2.6 Before Investigating (Cont.) Interviewing Usually conducted to collect information from a witness or suspect About specific facts related to an investigation Search warrants A legal document that permits members of law enforcement to search a specific location for evidence related to a criminal investigation, and possibly seize that evidence so it can be analyzed and possibly used in court

3.2.6 Before Investigating (Cont.) Executes the investigation To carry out an investigation a search warrant from a court is required Warrants can be issued for: Entire company Floor Room Just a device Car House Any Company Property

3.2.7 Professional Conduct Maintain the professional conduct at all times in an investigation This determines the credibility of a forensic investigator Investigators must display the highest level of ethics and integrity This indicates how you are handling the case as a whole Maintain a balance of morality and objectivity

3.2.7 Professional Conduct (Cont.) Professional detachment Placing all of your attention on the work rather than the emotional or psychological stress factors that may be involved Confidentiality is an essential feature which all forensic investigators must keep Keep information about the case private and not reveal information to those who are not directly involved in the investigating the incident.

3.3 Investigating Company Policy Violation

3.3.1 Policy and Procedure Development Policy Violations All employees of the company should be informed of the company policy Employees using company’s resources for personal use not only waste company’s time and resources but they also violate company policy Employees misusing resources can cost companies millions of dollars

3.3.1 Policy and Procedure Development Policy Violations(Cont.) Misuse includes: Surfing the Internet Sending personal e-mails Using company computers for personal tasks Such employees should be traced and educated about the company policy If the problem persists, action should be taken

3.3.2 Employee Termination Cases Majority of investigative work for termination cases involves employee abuse of corporate assets Internet abuse investigations To conduct an investigation you need: Organization’s Internet proxy server logs Suspect computer’s IP address Suspect computer’s disk drive Your preferred computer forensics analysis tool

3.3.2 Employee Termination Cases (Cont.) Recommended steps Use standard forensic analysis techniques and procedures Use appropriate tools to extract all Web page URL information Contact the network firewall administrator and request a proxy server log Compare the data recovered from forensic analysis to the proxy server log Continue analyzing the computer’s disk drive data

3.3.2 Warning Banners Warning banner is a text flashes at the point of access to a company computer. Two items that sould appear: Text that states the ownership of the computer Text that specifies appropriate use of the machine or Internet acces.

3.3.2 Warning Banners Flashes at the point of access Warns both authorized and unauthorized users Unauthorized usage of the banner policy makes it easier to conduct investigation Employees working are warned about the consequences if the companies policies are violated

3.3.2 Warning Banners (Cont.) Example of warning banners

3.4 Conducting a Computer Forensic Investigation

3.4.1 The Investigation Process To perform an investigation property, it is important to follow set procedures, which detail the steps to be taken. Follows these guidelines will: help you meet the goals of an incident. Provide information that can be used to handle the incident Avoid escalate into a more significant problem

3.4.1 The Investigation Process (Cont.) Six steps should be followed: Preparation Detection Containment Eradication Recovery Follow-up

3.4.1 The Investigation Process (Cont.) Preparation Preparation enables easy coordination among staffs Providing baseline protection Using virus detection and eradication tools Providing training to the staffs Detection This involves validating, identifying and reporting the incident Determining the symptoms given in ‘how to identify an incident’

3.4.1 The Investigation Process (Cont.) Identifying the nature of the incident Identify the events Protect the evidence Logging and making a report of whatever anomalies had occurred. Some of the important symptoms that can be found: Intrusion detection system, because as an intrusion is traced by it an alarm starts, which make everybody alert about the incident

3.4.1 The Investigation Process (Cont.) If a person continuously tries to login unsuccessfully, into the systems to gain some unauthorized access If the presence of new files or folders is found. This should be looked into seriously because that can be A virus, Worm, or Any malicious code

3.4.1 The Investigation Process (Cont.) Containment Limit the extent and intensity of an incident as quickly as possible Avoid potentially compromising code like FTP downloads Carry the data to any other secure network Use of intrusion detection system to track hacker Making complete backups of infected systems Change the passwords of all the unaffected systems in the LAN.

3.4.1 The Investigation Process (Cont.) Eradication In this stage the documents are looked into to find and remove the cause of incident Use standard anti-virus tools to remove virus/worms from storage medias Determine cause and symptom Improve security measures by enabling firewalls, router filters or assigning new IIP address Perform vulnerability analysis

3.4.1 The Investigation Process (Cont.) Recovery Determine the course and actions Monitor and validate systems Determine integrity of the backup itself by attempting to read its data Verify success of operation and normal condition of system Monitor the system by network loggers, system log files and potential back doors.

3.4.1 The Investigation Process (Cont.) Follow-up Revise policies and procedures from the lessons learnt from the past Determine the staff time required and perform the following cost analysis: Associated cost Extent to which the incidents disrupted the organization Data lost and its value Damaged hardware and its cost

3.4.2 Evidence Assessment Processing evidence is a four-part set of procedures consisting of assessment, acquisition, examination, and documentation. Evidence assessment is the first part of this process, and involves evaluating issues related to the case and the digital evidence that’s being sought. Requires reviewing The search warrant or details of legal authorization to obtain the evidence, The details of the case

3.4.2 Evidence Assessment (Cont.) Hardware and software that may be involved, and The evidence you hope to acquire for later evaluation

3.4.3 Acquiring Evidence The following steps are performed to collect the evidence: Find the evidence Discover the relevant data Prepare an Order of Volatility Eradicate external avenues of alter Gather the evidence Prepare chain of custody

3.4.3 Acquiring Evidence (Cont.) Imaging the Evidence Disk Capture an accurate image of the system as soon as possible. The forensic copy can be created using various techniques such as: Using MS-DOS to create bit- stream copy of a floppy disk / Hard disk Using Imaging software to acquire bit-stream copy of floppy disk / Hard disk

3.4.3 Acquiring Evidence (Cont.) Understanding Bit-stream Copies

3.4.3 Acquiring Evidence (Cont.) Understanding Bit-stream Copies Bit-stream copy Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments

3.4.3 Acquiring Evidence (Cont.) Bit-stream image File containing the bit-stream copy of all data on a disk or partition Also known as forensic copy

3.4.4 Evidence Examination Analysis can be carried out using various forensic analysis tool such as EnCase, AccessData etc. Working from an image of the original machine, files and other data can be extracted from the image to separate files, which can then be reviewed by the examiner. Extraction of evidence from a hard disk can occur at either of two levels: Logical extraction Physical extraction

3.4.5 Documenting and Reporting of Evidence Investigators document their evidence by creating an evidence form Evidence forms must be updated based on the changing technology and methods in recovering data Functions of the evidence form include: Identify the evidence Identifying the investigator handling the case Lists of the dates and the time that the case was handled

3.4.5 Documenting and Reporting of Evidence (Cont.) Example of evidence form

3.4.6 Closing the Case The investigator should include what was done and results in the final report Basic report includes: who,what,when,where and how In a good computing investigation the steps can be repeated and the result obtained are same every time The report should explain the computer and network processes Explanation should be provided for various processes and the inner working of the system and its various interrelated components

Summary

Summary Take a systematic approach to the investigations Take into account the nature of the case,instruction, and tools while planning the case Apply standard problem-solving techniques Always maintain a journal to make notes of everything Create bit-stream copies of files using either the Diskcopy DOS utility or the Image tool Keep track of the chain of custody of your evidence

End of Chapter 3