Private-Sector High-Tech

Investigations

1
 Procedures
• As an investigator, you need to develop formal procedures and
informal checklists
• To cover all issues important to high-tech investigations
• Ensures that correct techniques are used in an investigation

2
Employee Termination Cases
• The majority of investigative work for termination cases involves
employee abuse of corporate assets
• Incidents that create a hostile work environment are the predominant
types of cases investigated
• Viewing pornography in the workplace
• Sending inappropriate e-mails
• Organizations must have appropriate policies in place

3
Internet Abuse Investigations
• To conduct an investigation you need:
• Organization’s Internet proxy server logs
• Suspect computer’s IP address
• Suspect computer’s disk drive
• Your preferred computer forensics analysis tool

4
Internet Abuse Investigations
• Recommended steps
• Use standard forensic analysis techniques and procedures
• Use appropriate tools to extract all Web page URL
information
• Contact the network firewall administrator and request a
proxy server log
• Compare the data recovered from forensic analysis to the
proxy server log
• Continue analyzing the computer’s disk drive data

5
E-mail Abuse Investigations
• To conduct an investigation you need:
• An electronic copy of the offending e-mail that contains message header data
• If available, e-mail server log records
• For e-mail systems that store users’ messages on a central server, access to
the server
• Access to the computer so that you can perform a forensic analysis on it
• Your preferred computer forensics analysis tool

6
E-mail Abuse Investigations
• Recommended steps
• Use the standard forensic analysis techniques
• Obtain an electronic copy of the suspect’s and victim’s e-
mail folder or data
• For Web-based e-mail investigations, use tools such as
FTK’s Internet Keyword Search option to extract all related
e-mail address information
• Examine header data of all messages of interest to the
investigation

7
Attorney-Client Privilege Investigations
• Under attorney-client privilege (ACP) rules for an attorney
• You must keep all findings confidential
• Many attorneys like to have printouts of the data you have recovered
• You need to persuade and educate many attorneys on how digital evidence
can be viewed electronically
• You can also encounter problems if you find data in the form of binary
files

8
Attorney-Client Privilege Investigations
• Steps for conducting an ACP case
• Request a memorandum from the attorney directing you to start the
investigation
• Request a list of keywords of interest to the investigation
• Initiate the investigation and analysis
• For disk drive examinations, make two bit-stream images using different tools
for each image
• Compare hash signatures on all files on the original and re-created disks

9
Attorney-Client Privilege Investigations
• Steps for conducting an ACP case (cont’d)
• Methodically examine every portion of the disk drive and
extract all data
• Run keyword searches on allocated and unallocated disk
space
• For Windows OSs, use specialty tools to analyze and
extract data from the Registry
• For binary data files such as CAD drawings, locate the
correct software product
• For unallocated data recovery, use a tool that removes or
replaces nonprintable data

10
Attorney-Client Privilege Investigations
• Steps for conducting an ACP case (cont’d)
• Consolidate all recovered data from the evidence bit-stream image into
folders and subfolders
• Other guidelines
• Minimize written communications with the attorney
• Any documentation written to the attorney must contain a header stating
that it’s “Privileged Legal Communication—Confidential Work Product”
• Assist the attorney and paralegal in analyzing data

11
Industrial Espionage Investigations
• All suspected industrial espionage cases should be
treated as criminal investigations
• Staff needed
• Computing investigator who is responsible for disk
forensic examinations
• Technology specialist who is knowledgeable of the
suspected compromised technical data
• Network specialist who can perform log analysis and set
up network sniffers
• Threat assessment specialist (typically an attorney)

12
Industrial Espionage Investigations
• Guidelines when initiating an investigation
• Determine whether this investigation involves a possible
industrial espionage incident
• Consult with corporate attorneys and upper management
• Determine what information is needed to substantiate the
allegation
• Generate a list of keywords for disk forensics and sniffer
monitoring
• List and collect resources for the investigation

13
Industrial Espionage Investigations
• Guidelines (cont’d)
• Determine goal and scope of the investigation
• Initiate investigation after approval from management
• Planning considerations
• Examine all e-mail of suspected employees
• Search Internet newsgroups or message boards
• Initiate physical surveillance
• Examine facility physical access logs for sensitive areas

14
Industrial Espionage Investigations
• Planning considerations (cont’d)
• Determine suspect location in relation to the vulnerable
asset
• Study the suspect’s work habits
• Collect all incoming and outgoing phone logs
• Steps to conducting an industrial espionage case
• Gather all personnel assigned to the investigation and
brief them on the plan
• Gather resources to conduct the investigation

15
Industrial Espionage Investigations
• Steps (cont’d)
• Place surveillance systems at key locations
• Discreetly gather any additional evidence
• Collect all log data from networks and e-mail servers
• Report regularly to management and corporate attorneys
• Review the investigation’s scope with management and corporate attorneys

16
Interviews and Interrogations in High-Tech
Investigations
• Becoming a skilled interviewer and interrogator can take many years
of experience
• Interview
• Usually conducted to collect information from a witness or suspect
• About specific facts related to an investigation
• Interrogation
• Process of trying to get a suspect to confess

17
Interviews and Interrogations in High-Tech
Investigations
• Role as a computing investigator
• To instruct the investigator conducting the interview on
what questions to ask
• And what the answers should be
• Ingredients for a successful interview or
interrogation
• Being patient throughout the session
• Repeating or rephrasing questions to zero in on specific
facts from a reluctant witness or suspect
• Being tenacious

18
Understanding Data Recovery Workstations
and Software
• Investigations are conducted on a computer forensics lab (or data-
recovery lab)
• In data recovery, the customer or your company just wants the data back
• Computer forensics workstation
• A specially configured PC
• Loaded with additional bays and forensics software
• To avoid altering the evidence use:
• Write-blockers devices
• Enable you to boot to Windows without writing data to the evidence drive

19
Setting Up Your Workstation for Digital
Forensics
• Basic requirements
• A workstation running Windows or later
• A write-blocker device
• Digital forensics acquisition tool
• Digital forensics analysis tool
• Target drive to receive the source or suspect disk data
• Spare PATA or SATA ports
• USB ports

20
Setting Up your Workstation for Digital
Forensics
• Additional useful items
• Network interface card (NIC)
• Extra USB ports
• FireWire 400/800 ports
• SCSI card
• Disk editor tool
• Text editor tool
• Graphics viewer program
• Other specialized viewing tools

21
Conducting an Investigation
• Gather resources identified in investigation plan
• Items needed
• Original storage media
• Evidence custody form
• Evidence container for the storage media
• Bit-stream imaging tool
• Forensic workstation to copy and examine your evidence
• Securable evidence locker, cabinet, or safe

22
Gathering the Evidence
• Avoid damaging the evidence
• Steps
• Meet the IT manager to interview him
• Fill out the evidence form, have the IT manager sign
• Place the evidence in a secure container
• Carry the evidence to the computer forensics lab
• Complete the evidence custody form
• Secure evidence by locking the container

23
Understanding Bit-Stream Copies
• Bit-stream copy
• Bit-by-bit copy of the original storage medium
• Exact copy of the original disk
• Different from a simple backup copy
• Backup software only copy known files
• Backup software cannot copy deleted files, e-mail
messages or recover file fragments
• Bit-stream image
• File containing the bit-stream copy of all data on a disk or
partition
• Also known as “image” or “image file”

24
Understanding Bit-stream Copies
• Copy image file to a target disk that matches the original disk’s
manufacturer, size and model

25
Acquiring an Image of Evidence Media
• First rule of computer forensics
• Preserve the original evidence
• Conduct your analysis only on a copy of the data
• Several vendors provide MS-DOS, Linux, and
Windows acquisition tools
• Windows tools require a write-blocking device when
acquiring data from FAT or NTFS file systems

26
Using ProDiscover Basic to Acquire a USB
Drive
• Create a work folder for data storage
• Steps to perform an acquisition on a USB drive:
• On the USB drive locate the write-protect switch and place the drive in write-
protect mode
• Start ProDiscover Basic
• In the main window, click Action, Capture Image from the menu
• Click the Source Drive drop-down list, and select the thumb drive

27
Using ProDiscover Basic to Acquire a USB
Drive

28
Using ProDiscover Basic to Acquire a USB
Drive
• Steps (cont’d)
• Click the >> button next to the Destination text box
• Type your name in the Technician Name text box
• ProDiscover Basic then acquires an image of the USB
thumb drive
• Click OK in the completion message box

29
Using ProDiscover Basic to Acquire a USB
Drive

30
Analyzing Your Digital Evidence
• Your job is to recover data from:
• Deleted files
• File fragments
• Complete files
• Deleted files linger on the disk until new data is saved on the same
physical location
• Tools can be used to retrieve deleted files
• ProDiscover Basic

31
Analyzing Your Digital Evidence
• Steps to analyze a USB drive
• Start ProDiscover Basic
• Create a new case
• Type the project number
• Add an Image File
• Steps to display the contents of the acquired data
• Click to expand Content View
• Click All Files under the image filename path

32
Analyzing Your Digital Evidence
• Steps to display the contents of the acquired data (cont’d)
• Click letter1 to view its contents in the data area
• In the data area, view contents of letter1
• Analyze the data
• Search for information related to the complaint
• Data analysis can be most time-consuming task

33
Analyzing Your Digital Evidence

34
Analyzing Your Digital Evidence
• With ProDiscover Basic you can:
• Search for keywords of interest in the case
• Display the results in a search results window
• Click each file in the search results window and examine its content in the
data area
• Export the data to a folder of your choice
• Search for specific filenames
• Generate a report of your activities

35
Analyzing Your Digital Evidence

36
Analyzing Your Digital Evidence

37
Analyzing Your Digital Evidence

38
Completing the Case
• You need to produce a final report
• State what you did and what you found
• Include ProDiscover report to document your work
• Repeatable findings
• Repeat the steps and produce the same result
• If required, use a report template
• Report should show conclusive evidence
• Suspect did or did not commit a crime or violate a
company policy

39
Completing the Case
• Keep a written journal of everything you do
• Your notes can be used in court
• Answer the six Ws:
• Who, what, when, where, why, and how
• You must also explain computer and network
processes

40
Critiquing the Case
• Ask yourself the following questions:
• How could you improve your performance in the case?
• Did you expect the results you found? Did the case develop in ways you did
not expect?
• Was the documentation as thorough as it could have been?
• What feedback has been received from the requesting source?

41
Critiquing the Case
• Ask yourself the following questions (cont’d):
• Did you discover any new problems? If so, what are they?
• Did you use new techniques during the case or during research?

42
Summary
• Digital forensics involves systematically accumulating and analyzing
digital information for use as evidence in civil, criminal, and
administrative cases
• Investigators need specialized workstations to examine digital
evidence
• Public-sector and private-sector investigations differ; public-sector
typically require search warrants before seizing digital evidence

43
Summary
• Always use a systematic approach to your
investigations
• Always plan a case taking into account the nature of
the case, case requirements, and gathering evidence
techniques
• Both criminal cases and corporate-policy violations
can go to court
• Plan for contingencies for any problems you might
encounter
• Keep track of the chain of custody of your evidence

44
Summary
• Internet abuse investigations require examining
server log data
• For attorney-client privilege cases, all written
communication should remain confidential
• A bit-stream copy is a bit-by-bit duplicate of the
original disk
• Always maintain a journal to keep notes on exactly
what you did
• You should always critique your own work

45