Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition.

Published byDaniel Bradford Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition."— Presentation transcript:

1 Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition

2 Guide to Computer Forensics and Investigations2 Taking a Systematic Approach Steps for problem solving –Make an initial assessment about the type of case you are investigating –Determine a preliminary design or approach to the case –Create a detailed checklist –Determine the resources you need –Obtain and copy an evidence disk drive

3 Guide to Computer Forensics and Investigations3 Taking a Systematic Approach (continued) Steps for problem solving (continued) –Identify the risks –Mitigate or minimize the risks –Test the design –Analyze and recover the digital evidence –Investigate the data you recover –Complete the case report –Critique the case

4 Guide to Computer Forensics and Investigations4 Assessing the Case Systematically outline the case details –Situation –Nature of the case –Specifics of the case –Type of evidence –Operating system –Known disk format –Location of evidence

5 Guide to Computer Forensics and Investigations5 Assessing the Case (continued) Based on case details, you can determine the case requirements –Type of evidence –Computer forensics tools –Special operating systems

6 Guide to Computer Forensics and Investigations6 Planning Your Investigation A basic investigation plan should include the following activities: –Acquire the evidence –Complete an evidence form and establish a chain of custody –Transport the evidence to a computer forensics lab –Secure evidence in an approved secure container

7 Guide to Computer Forensics and Investigations7 Planning Your Investigation (continued) A basic investigation plan (continued): –Prepare a forensics workstation –Obtain the evidence from the secure container –Make a forensic copy of the evidence –Return the evidence to the secure container –Process the copied evidence with computer forensics tools

8 Guide to Computer Forensics and Investigations8 Planning Your Investigation (continued) An evidence custody form helps you document what has been done with the original evidence and its forensics copies Two types –Single-evidence form Lists each piece of evidence on a separate page –Multi-evidence form

9 Guide to Computer Forensics and Investigations9 Planning Your Investigation (continued)

10 Guide to Computer Forensics and Investigations10 Planning Your Investigation (continued)

11 Guide to Computer Forensics and Investigations11 Securing Your Evidence Use evidence bags to secure and catalog the evidence Use computer safe products –Antistatic bags –Antistatic pads Use well padded containers Use evidence tape to seal all openings –Floppy disk or CD drives –Power supply electrical cord

12 Guide to Computer Forensics and Investigations12 Securing Your Evidence (continued) Write your initials on tape to prove that evidence has not been tampered with Consider computer specific temperature and humidity ranges

13 Guide to Computer Forensics and Investigations13 Procedures for Corporate High-Tech Investigations Develop formal procedures and informal checklists –To cover all issues important to high-tech investigations

14 Guide to Computer Forensics and Investigations14 Understanding Data Recovery Workstations and Software Investigations are conducted on a computer forensics lab (or data-recovery lab) Computer forensics and data-recovery are related but different Computer forensics workstation –Specially configured personal computer –Loaded with additional bays and forensics software To avoid altering the evidence use: –Forensics boot floppy disk –Write-blockers devices

15 Guide to Computer Forensics and Investigations15 Conducting an Investigation Gather resources identified in investigation plan Items needed –Original storage media –Evidence custody form –Evidence container for the storage media –Bit-stream imaging tool –Forensic workstation to copy and examine your evidence –Securable evidence locker, cabinet, or safe

16 Guide to Computer Forensics and Investigations16 Gathering the Evidence Avoid damaging the evidence Steps –Meet the IT manager to interview him –Fill out the evidence form, have the IT manager sign –Place the evidence in a secure container –Complete the evidence custody form –Carry the evidence to the computer forensics lab –Create forensics copies (if possible) –Secure evidence by locking the container

17 Guide to Computer Forensics and Investigations17 Understanding Bit-Stream Copies Bit-stream copy –Bit-by-bit copy of the original storage medium –Exact copy of the original disk –Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files, e-mail messages or recover file fragments Bit-stream image –File containing the bit-stream copy of all data on a disk or partition –Also known as forensic copy

18 Guide to Computer Forensics and Investigations18 Understanding Bit-stream Copies (continued) Copy image file to a target disk that matches the original disk’s manufacturer, size and model

19 Guide to Computer Forensics and Investigations19 Analyzing Your Digital Evidence Your job is to recover data from: –Deleted files –File fragments –Complete files Deleted files linger on the disk until new data is saved on the same physical location Tool –ProDiscover Basic

20 Guide to Computer Forensics and Investigations20 Completing the Case You need to produce a final report –State what you did and what you found Include ProDiscover report to document your work Repeatable findings –Repeat the steps and produce the same result If required, use a report template Report should show conclusive evidence –Suspect did or did not commit a crime or violate a company policy

21 Guide to Computer Forensics and Investigations21 Critiquing the Case Ask yourself the following questions: –How could you improve your performance in the case? –Did you expect the results you found? Did the case develop in ways you did not expect? –Was the documentation as thorough as it could have been? –What feedback has been received from the requesting source?

22 Guide to Computer Forensics and Investigations22 Critiquing the Case (continued) Ask yourself the following questions (continued): –Did you discover any new problems? If so, what are they? –Did you use new techniques during the case or during research?

Download ppt "Chapter 2 Understanding Computer Investigations Guide to Computer Forensics and Investigations Fourth Edition."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Computer Forensics.

Computer Forensics.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Computer & Network Forensics

Computer & Network Forensics
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.

COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
COS/PSA 413 Day 2. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Begin.

COS/PSA 413 Day 2. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Begin.
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google