Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policies and Procedures. 2 Introduction In this chapter, you will be introduced to best practices generally accepted guidelines and procedures used by.

Published byShannon Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "Policies and Procedures. 2 Introduction In this chapter, you will be introduced to best practices generally accepted guidelines and procedures used by."— Presentation transcript:

1 Policies and Procedures

2 2 Introduction In this chapter, you will be introduced to best practices generally accepted guidelines and procedures used by computer forensics practitioners.

3 3 Reasons for Policies and Procedures Investigators establish generally accepted policies and procedures to ensure that:  A baseline or benchmark is set for all cases as needed for external audits or other reference  Processes throughout the case life-cycle are understood  Technical procedures are well documented  Integrity is automatically built into the handling of the case  Different forensic investigators can work or collaborate on the same case without significant disruption  The final report has a standard format

4 4 Personnel Hiring Issues Characteristics important for members of a forensics unit include:  Experience in computer forensics  Education in relevant forensic areas  Certifications in computer forensics  Integrity and judgment  Team player attitude  Ability to adapt  Ability to work under pressure

5 5 Personnel Training Some training areas include:  Computer forensics  Network forensics  PDA forensics  Cellular phone forensics  Legal issues  Industry-specific issues  Management training  Investigative techniques

6 6 Pre-Case Cautions When deciding to take a case, consider whether your team can ensure the integrity of the case’s e-evidence Evidence value is time sensitive Links to digital information can degrade

7 7 Deciding to Take a Case  Whether it is a criminal or civil case  The impact on the investigating organization  Whether the evidence is volatile or nonvolatile  Legal considerations about data that might be exposed  The nature of the crime  Potential victims, such as children in child pornography cases  Liability issues for the organization  The age of the case  Amount of time before the court date Criteria for accepting a case include:

8 8 FYI: Types of Data That Might Be Exposed in an Investigation Information that can be exposed in an investigation that is not within original scope:  Personal financial data  Personal e-mail  E-mail or documents containing company secrets  Instant messaging logs  Privileged communications  Proprietary information (corporate)

9 9 General Case Intake Form Checks for conflict of interest in the case Confirms the understanding and agreement among the parties involved and sets the stage for everything else about the case  Chain of custody  Basic evidence documentation Sample intake form: Sample Intake Form

10 10 Documenting the First Steps in the Case The importance of documenting first steps cannot be overemphasized Questions that should be asked before traveling to a site:  What circumstances surrounding this case require a computer forensics expert?  What types of hardware and software are involved?

11 11 Equipment in a Basic Forensics Kit Cellular phone Basic hardware toolkit Watertight/static-resistant plastic bags Labels Bootable media Cables (USB, printer, FireWire) Writing implements Laptop PDA High-resolution camera Hardware write blocker Luggage cart Flashlight Power strip Log book Gloves External USB hard drive Forensic examiner platform

12 12 Steps in the Forensic Examination Verify legal authority Collect preliminary data Determine the environment for the investigation Secure and transport evidence Acquire the evidence from the suspect system

13 13 Verify Legal Authority In a criminal case, authority to conduct search is up to local jurisdiction  Search warrant required for search and seizure  Search warrants may need to be amended or expanded In civil cases involving corporate equipment, investigators have greater leeway to seize

14 14 Collect Preliminary Data QuestionsConsiderations What types of e-evidence am I looking for? Are you being tasked to look for photographs, documents, databases, spreadsheets, financial records, or e-mail? What is the skill level of the user in question? The more sophisticated the user, the more likely that he has the capability to alter or destroy evidence. What kind of hardware is involved? Is it an IBM-compatible computer or a Macintosh computer? (Continued)

15 15 Collect Preliminary Data (Cont.) QuestionsConsiderations What kind of software is involved?To a large degree, the type of software you are working with determines how you extract and eventually read the information. Do I need to preserve other types of evidence? Will you need to worry about fingerprints, DNA, or trace evidence? What is the computer environment like? Are you dealing with a network? If so, what are the physical/logical topology, OS, usernames and passwords?

16 16 Determine the Environment for the Investigation Consider these factors when deciding where to conduct the examination:  Integrity of the evidence collection process  Estimation of the time required to do an examination  Impact on the target organization  Equipment resources  Personnel considerations

17 17 Secure and Transport Evidence Document the evidence  Locate all evidence to be seized  Record a general description of the room: Type of media found All peripheral devices attached to the computer(s) Make, model, and serial numbers of devices seized What types of media devices are located in, near, or on the computer  Note all wireless devices  Make use of chain of custody forms

18 18 Secure and Transport Evidence (Cont.) All removable media All computer equipment Books/magazines Trash contents Peripherals Cables Notes/miscellaneous paper  Tag should include time, date, location, and general condition of the evidence Tag the evidence  Tag everything that will be transported back to the forensics lab

19 19 Secure and Transport Evidence (Cont.) Bag the evidence  Small items go into small antistatic bags  Larger items go into antistatic boxes  Bagging evidence Protects the evidence Organizes the evidence Preserves other potential evidence

20 20 Secure and Transport Evidence (Cont.) Transport the evidence  Use these items to make transport easier Luggage cart Hand cart Bungee cords with hooks or clamps Duct tape Small cargo net Leather gloves Twist ties Plastic cable ties/PlastiCuffs

21 21 Acquire the Evidence First document the hardware and software to be used in acquiring the evidence. Disassemble the suspect computer Acquire hard drive information BIOS information Boot sequence Time and date

22 22 Acquire the Evidence (Cont.) Basic guidelines:  Wipe all media you plan to use and use a standard character during that wipe  Activate the write protection  Perform a hash of the original drive and of the forensic copy to make sure you have a bit-for-bit copy  Do a physical acquisition to capture space not accessible by the operating system  Make a working or backup copy

23 23 Examining the Evidence There are no specific rules for examining evidence due to the variety of cases The experience level of the user determines how the examiner approaches the investigation of evidence Physical extraction or examination (searches in areas the operating system does not recognize) Logical extraction or examination (sees only what operating system can see)

24 24 Examining the Evidence (Cont.) Bottom-layer examinations  File system details (Operating System Details, known issues with OS, server config.)  Directory/file system structure (FAT vs. MFT, cluster size allocations)  Operating system norms (Which directory does it normally spool printer files in? Where are temporary files stored?)  Other partition information  Other operating systems (dual/multiboot systems)

25 25 Examining the Evidence (Cont.) Second-layer examinations  Exclusion of known files using hash analysis (for common operating system files elimination)  File header and extension (Compare file header and its extension. Why?)  Obvious files of interest Third-layer examinations  Extraction of password-protected and encrypted files (Analyzing which files are password-protected or encrypted and selecting an appropriate tool to open)  Extraction of compressed and deleted files (zip)  Link analysis (Records where a file has been saved recently and usually includes the path, date, time- important because of removable storage devices.)

26 26 Examining the Evidence (Cont.) Fourth-layer examinations  Extraction of unallocated space files of interest (Check email-Screen shot stored-Closed-Temporary file deleted)  Extraction of file slack space files of interest Fifth-layer examinations  Documentation should reflect how the evidence was extracted and where it has been extracted to for further analysis

27 27 The Art of Forensics: Analyzing the Data File analysis investigations include:  File content (Case: Financial Fraud. Files: Dealing with finance or spreadsheets would be obvious choice  Metadata (Goal: Solidify the connection between the data and who actually created it).  Application files (Application used recently, no files are found based on signature/header analysis  File stored in removable media  Operating system file types (Find *tar in Windows OS?)  Directory/folder structure (What does creating folders and saving files into that folder implies?)  Patterns (Find a pattern that files saved at 2:00 am every Monday.)  User configurations (Learn configuration to put a together a picture of the evidence and to possibly locate more evidence)

28 28 Analyzing the Data (Cont.) Data-hiding analyses should include:  Password-protected files. Several options: Check the Internet for password-cracking software Check with the software developer of the application Contact a firm that specializes in cracking passwords  Compressed files  Encrypted files  Steganography

29 29 Analyzing the Data (Cont.) Time frame analysis should examine the following file attributes:  Creation date/time  Modified date/time  Accessed date/time

30 30 Reporting on the Investigation Last step is to finish documenting the investigation and prepare a report on the investigation Documentation should include information such as:  Notes taken during initial contact with the lead investigator  Any forms used to start the investigation  A copy of the search warrant  Documentation of the scene where the computer was located  Procedures used to acquire, extract, and analyze the evidence

31 31 Reporting on the Investigation (Cont.) A detailed final report should be organized into the following sections:  Report summary  Body of the report  Conclusion  Supplementary materials (i.e glossary, appendices)

32 32 Reporting on the Investigation (Cont.) The final detailed report should cover:  Case investigator information, name and contact details  The suspect user information  Case numbers or identifiers used by your department  Location of the examination  Type of information you have been requested to find

33 33 Reporting on the Investigation (Cont.) The report summary should contain:  Files found with evidentiary value  Supporting files that support allegations  Ownership analysis of files  Analysis of data within suspect files  Search types including text strings, keywords, etc.  Any attempts at data hiding such as passwords, encryption, and steganography

34 34 Summary Policies and procedures  Are key to a consistent and methodical investigation  Aid in the management of a computer forensics lab  Should be flexible enough to adjust to each case

35 35 Summary (Cont.) Four main steps to any computer forensics investigation:  Planning  Acquisition  Analysis  Reporting Computer forensic analyst must:  Keep up with the technology of the day  Be a psychologist who understands how people use technology

Download ppt "Policies and Procedures. 2 Introduction In this chapter, you will be introduced to best practices generally accepted guidelines and procedures used by."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Complex Recovery/ Data Reduction DFRWS 2002. Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.

Complex Recovery/ Data Reduction DFRWS Technical Issues Lots of info to be recovered in in deleted file space Partial data recovery: does this give.
Computer Forensics.

Computer Forensics.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
F6-Preparing for forensic Duplication Dr. John P. Abraham Professor UTPA.

F6-Preparing for forensic Duplication Dr. John P. Abraham Professor UTPA.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:

Similar presentations

Ads by Google