Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Forensics Principles and Practices

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Forensics Principles and Practices"— Presentation transcript:

1 Computer Forensics Principles and Practices
by Volonino, Anzaldua, and Godwin Chapter 4: Policies and Procedures

2 Objectives Explain the reasons for policies and procedures
Formulate policies and procedures Identify the steps in a forensic examination Conduct an investigation Report the results of an investigation © Pearson Education Computer Forensics: Principles and Practices

3 Introduction In this chapter, you will be introduced to best practices and generally accepted guidelines and procedures used by computer forensics practitioners. These guidelines and procedures need to be customized to meet the requirements of individual cases. Introduce the chapter. © Pearson Education Computer Forensics: Principles and Practices

4 Reasons for Policies and Procedures
Investigators establish generally accepted policies and procedures to ensure that: A benchmark is set for all cases as needed for external audits or other reference Processes throughout the case life-cycle are understood Technical procedures are well documented Integrity is automatically built into the handling of the case Different forensic investigators can work or collaborate on the same case without significant disruption The final report has a standard format Discuss some of the reasons why generally accepted policies and procedures are put into place. © Pearson Education Computer Forensics: Principles and Practices

5 Personnel Hiring Issues
Characteristics important for members of a forensics unit include: Experience in computer forensics Education in relevant forensic areas Certifications in computer forensics Integrity and judgment Team player attitude Ability to adapt Ability to work under pressure Explain some of the issues of hiring computer forensics investigators. © Pearson Education Computer Forensics: Principles and Practices

6 Personnel Training Some training areas include: Computer forensics
Network forensics PDA forensics Cellular phone forensics Legal issues Industry-specific issues Management training Investigative techniques Provide other areas that you know of that would be important for computer forensics investigators. You may want to have a discussion regarding the administrative issues that face a computer forensics lab. They are very similar to other organizations. © Pearson Education Computer Forensics: Principles and Practices

7 Pre-Case Cautions When deciding to take a case, consider whether your team can ensure the integrity of the case’s e-evidence Evidence value is time sensitive Links to digital information can degrade Discuss the cautions when taking a case and the time-sensitive nature of expediting the investigation. © Pearson Education Computer Forensics: Principles and Practices

8 Deciding to Take a Case Criteria for accepting a case include:
Whether it is a criminal or civil case The impact on the investigating organization Whether the evidence is volatile or nonvolatile Legal considerations about data that might be exposed The nature of the crime Potential victims, such as children in child pornography cases Liability issues for the organization The age of the case Amount of time before the court date Discuss the reasons for taking a case. © Pearson Education Computer Forensics: Principles and Practices

9 FYI: Types of Data That Might Be Exposed in an Investigation
Information that can be exposed in an investigation that is not within original scope: Personal financial data Personal or documents containing company secrets Instant messaging logs Privileged communications Proprietary information (corporate) Explain some of the information that might be exposed during the life of an investigation. © Pearson Education Computer Forensics: Principles and Practices

10 General Case Intake Form
Checks for conflict of interest in the case Confirms the understanding and agreement among the parties involved and sets the stage for everything else about the case Chain of custody Basic evidence documentation Discuss the importance of a case intake form. Refer to the link of the special report by the Department of Justice. Also discuss the In Practice: Triple Constraint of an Honest Estimate, from the book. © Pearson Education Computer Forensics: Principles and Practices

11 Documenting the First Steps in the Case
The importance of documenting first steps cannot be overemphasized Questions that should be asked before traveling to a site: What circumstances surrounding this case require a computer forensics expert? What types of hardware and software are involved? Discuss these questions regarding documenting the case. © Pearson Education Computer Forensics: Principles and Practices

12 Equipment in a Basic Forensics Kit
Cellular phone Basic hardware toolkit Watertight/static-resistant plastic bags Labels Bootable media Cables (USB, printer, FireWire) Writing implements Laptop PDA High-resolution camera Hardware write blocker Luggage cart Flashlight Power strip Log book Gloves External USB hard drive Forensic examiner platform Outline the basic tools that need to be in a forensics toolkit. © Pearson Education Computer Forensics: Principles and Practices

13 Steps in the Forensic Examination
Verify legal authority Collect preliminary data Determine the environment for the investigation Secure and transport evidence Acquire the evidence from the suspect system Discuss the steps in a forensics examination. These topics are expanded on the following slides. © Pearson Education Computer Forensics: Principles and Practices

14 Verify Legal Authority
In a criminal case, authority to conduct search is up to local jurisdiction Search warrant required for search and seizure Search warrants may need to be amended or expanded Plain view doctrine allows for seizure of other materials that may be relevant In civil cases involving corporate equipment, investigators have greater leeway to seize Make sure that Fourth Amendment rights are protected in a criminal/civil case. © Pearson Education Computer Forensics: Principles and Practices

15 Collect Preliminary Data
Questions Considerations What types of e-evidence am I looking for? Are you being tasked to look for photographs, documents, databases, spreadsheets, financial records, or ? What is the skill level of the user in question? The more sophisticated the user, the more likely that he has the capability to alter or destroy evidence. What kind of hardware is involved? Is it an IBM-compatible computer or a Macintosh computer? Discuss the questions and considerations in collecting preliminary data. (Continued) © Pearson Education Computer Forensics: Principles and Practices

16 Collect Preliminary Data (Cont.)
Questions Considerations What kind of software is involved? To a large degree, the type of software you are working with determines how you extract and eventually read the information. Do I need to preserve other types of evidence? Will you need to worry about fingerprints, DNA, or trace evidence? What is the computer environment like? Are you dealing with a network? If so, what are the physical/logical topology, OS, usernames and passwords? Continue the discussion of the questions and considerations in collecting preliminary data. © Pearson Education Computer Forensics: Principles and Practices

17 Determine the Environment for the Investigation
Consider these factors when deciding where to conduct the examination: Integrity of the evidence collection process Estimation of the time required to do an examination Impact on the target organization Equipment resources Personnel considerations Discuss the factors that need to be considered when deciding where to conduct the examination. © Pearson Education Computer Forensics: Principles and Practices

18 Secure and Transport Evidence
Document the evidence Locate all evidence to be seized Record a general description of the room: Type of media found All peripheral devices attached to the computer(s) Make, model, and serial numbers of devices seized What types of media devices are located in, near, or on the computer Note all wireless devices Make use of chain of custody forms Discuss the documentation of evidence in relation to securing and transporting that evidence. © Pearson Education Computer Forensics: Principles and Practices

19 Secure and Transport Evidence (Cont.)
Tag the evidence Tag everything that will be transported back to the forensics lab All removable media All computer equipment Books/magazines Trash contents Peripherals Cables Notes/miscellaneous paper Discuss the tagging of evidence in relation to securing and transporting that evidence. Tag should include time, date, location, and general condition of the evidence © Pearson Education Computer Forensics: Principles and Practices

20 Secure and Transport Evidence (Cont.)
Bag the evidence Small items go into small antistatic bags Larger items go into antistatic boxes Bagging evidence Protects the evidence Organizes the evidence Preserves other potential evidence Discuss the bagging of evidence and what items should be tagged. © Pearson Education Computer Forensics: Principles and Practices

21 Secure and Transport Evidence (Cont.)
Transport the evidence Use these items to make transport easier Luggage cart Hand cart Bungee cords with hooks or clamps Duct tape Small cargo net Leather gloves Twist ties Plastic cable ties/PlastiCuffs Discuss the items that are useful in safely transporting the evidence. © Pearson Education Computer Forensics: Principles and Practices

22 Acquire the Evidence First document the hardware and software to be used in acquiring the evidence. Disassemble the suspect computer Acquire hard drive information BIOS information Boot sequence Time and date What hardware, software, and media will be used to acquire evidence? Discuss acquiring the hard drive and the disassembly process. Discuss the process of acquiring a hard drive image and the documentation of that process. © Pearson Education Computer Forensics: Principles and Practices

23 Acquire the Evidence (Cont.)
Basic guidelines: Wipe all media you plan to use and use a standard character during that wipe Activate the write protection Perform a hash of the original drive and of the forensic copy to make sure you have a bit-for-bit copy Do a physical acquisition to capture space not accessible by the operating system Make a working or backup copy Explain the basic guidelines of acquisition. © Pearson Education Computer Forensics: Principles and Practices

24 Examining the Evidence
There are no specific rules for examining evidence due to the variety of cases The experience level of the user determines how the examiner approaches the investigation of evidence Physical extraction or examination Logical extraction or examination Begin the discussion of examining the evidence. © Pearson Education Computer Forensics: Principles and Practices

25 Examining the Evidence (Cont.)
Bottom-layer examinations File system details Directory/file system structure Operating system norms Other partition information Other operating systems (dual/multiboot systems) In the next few slides discuss the different layers of an investigation, from the bottom up. © Pearson Education Computer Forensics: Principles and Practices

26 Examining the Evidence (Cont.)
Second-layer examinations Exclusion of known files using hash analysis File header and extension Obvious files of interest Third-layer examinations Extraction of password-protected and encrypted files Extraction of compressed and deleted files Link analysis © Pearson Education Computer Forensics: Principles and Practices

27 Examining the Evidence (Cont.)
Fourth-layer examinations Extraction of unallocated space files of interest Extraction of file slack space files of interest Fifth-layer examinations Documentation should reflect how the evidence was extracted and where it has been extracted to for further analysis © Pearson Education Computer Forensics: Principles and Practices

28 The Art of Forensics: Analyzing the Data
File analysis investigations include: File content Metadata Application files Operating system file types Directory/folder structure Patterns User configurations Begin your discussion of the art of forensics and analyzing the data. This is where forensic science skills move to forensic art skills, or the skills relating to knowing how people use technology in order to understand how to find information. © Pearson Education Computer Forensics: Principles and Practices

29 Analyzing the Data (Cont.)
Data-hiding analyses should include: Password-protected files Check the Internet for password-cracking software Check with the software developer of the application Contact a firm that specializes in cracking passwords Compressed files Encrypted files Steganography Discuss the analysis of hidden data. © Pearson Education Computer Forensics: Principles and Practices

30 Analyzing the Data (Cont.)
Time frame analysis should examine the following file attributes: Creation date/time Modified date/time Accessed date/time This information will allow you to begin to make a correlation between file and user. It does not establish that the suspect was actually the one sitting at the computer at the time of the crime or file creation/access/modification. © Pearson Education Computer Forensics: Principles and Practices

31 Reporting on the Investigation
Last step is to finish documenting the investigation and prepare a report on the investigation Documentation should include information such as: Notes taken during initial contact with the lead investigator Any forms used to start the investigation A copy of the search warrant Documentation of the scene where the computer was located Procedures used to acquire, extract, and analyze the evidence Discuss what should be included in the final report of the investigation. Begin by emphasizing the importance of documenting each step of the investigation, from start to finish. © Pearson Education Computer Forensics: Principles and Practices

32 Reporting on the Investigation (Cont.)
A detailed final report should be organized into the following sections: Report summary Body of the report Conclusion Supplementary materials Discuss the parts of the detailed final report. © Pearson Education Computer Forensics: Principles and Practices

33 Reporting on the Investigation (Cont.)
The final detailed report should cover: Case investigator information, name and contact details The suspect user information Case numbers or identifiers used by your department Location of the examination Type of information you have been requested to find This is just a short list of the minimum information that should be included in the report. See the bullet list in the book. © Pearson Education Computer Forensics: Principles and Practices

34 Reporting on the Investigation (Cont.)
The report summary should contain: Files found with evidentiary value Supporting files that support allegations Ownership analysis of files Analysis of data within suspect files Search types including text strings, keywords, etc. Any attempts at data hiding such as passwords, encryption, and steganography Discuss what should be included in the report summary. This is just a minimum list. © Pearson Education Computer Forensics: Principles and Practices

35 Summary Policies and procedures
Are key to a consistent and methodical investigation Aid in the management of a computer forensics lab Should be flexible enough to adjust to each case © Pearson Education Computer Forensics: Principles and Practices

36 Summary (Cont.) Four main steps to any computer forensics investigation: Planning Acquisition Analysis Reporting Computer forensic analyst must: Keep up with the technology of the day Be a psychologist who understands how people use technology © Pearson Education Computer Forensics: Principles and Practices

Download ppt "Computer Forensics Principles and Practices"

Similar presentations

Complex Recovery/ Data Reduction DFRWS 2002. Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.

Complex Recovery/ Data Reduction DFRWS Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 5: Data, PDA, and Cell Phone Forensics.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Network security policy: best practices

Network security policy: best practices
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:

Similar presentations

Ads by Google