GUIDE TO COMPUTER FORENSICS AND

INVESTIGATIONS
6TH EDITION
CHAPTER 1
UNDERSTANDING THE DIGITAL FORENSICS PROFESSION AND INVESTIGATIONS
 Digital Forensics is the application of
computer science and
investigative procedures for a
legal purpose involving the
analysis of digital evidence
(information of probative value that is

DIGITAL stored or transmitted in binary form)

after proper search authority, chain
of custody, validation with

FORENSIC mathematics (hash function), use

of validated tools, repeatability,
reporting and possible expert
presentation.
(The former director of the Defense
Computer Forensics Laboratory, Ken
Zatyko).
DIGITAL FORENSIC (NIST’S DEFINITION)

 “The application of science to the

identification, collection, examination,
and analysis of data while preserving the
integrity of the information and
maintaining a strict chain of custody for
the data.”
 NIST SP800-86 (Guide to Integrating
Forensic
Techniques into Incident Response)
https://csrc.nist.gov/publications/detail/sp/8
00-86/final
DIGITAL
FORENSICS
STANDARDS
ISO 27037

 “Information technology — Security

techniques — Guidelines for
identification, collection, acquisition and
preservation of digital evidence”
www.iso.org/standard/44381.html
 CART

 FBI Computer Analysis and Response

Team (CART)
 Formed in 1984 to handle the increasing
number of cases involving digital
evidence

https://www2.fbi.gov/hq/lab/org/cart.htm
DIGITAL FORENSICS
VS. OTHER RELATED
DISCIPLINES
DIGITAL FORENSICS VS NETWORK FORENSICS
 Network Forensics
 yields information about how attackers gain access
 Digital Forensics: to a network along with files they might have
 copied
 investigate data that can be retrieved  examined
from a  or tampered with
computer’s hard drive or other storage  examiners use log files to determine:
media  when users logged on
 information retrieved might already be  which URLs users accessed
on the drive, but it might not be easy to  how they logged on to
find or decipher the network
 and from what location.
 Determines:
 what tracks or new files were left behind on a victim’s
computer
 what changes were made
DIGITAL FORENSICS VS DATA RECOVERY

 Digital forensics is the task of recovering  Data recovery involves retrieving

data that users have hidden or deleted, information that was deleted by mistake
with the goal of ensuring that the or lost during a power surge or server
recovered data is valid so that it can be crash
used as evidence  In data recovery you know what you’re
 In digital forensics you are looking for any looking for
possible evidence
DIGITAL FORENSICS VS DISASTER RECOVERY

 Task of recovering data that users have

hidden or deleted and using it as  For disaster recovery investigator uses
evidence digital forensics techniques to retrieve
 Evidence can be inculpatory information their clients have lost
(“incriminating”) or exculpatory
DIGITAL
INVESTIGATION
 Investigators often work as
a team to make computers
and networks secure in an
organization
 Each side of the triad in
represents a group or
department responsible for
performing the associated
tasks
 The digital investigations
group manages
investigations and conducts
forensics analysis of
systems suspected of:
 containing evidence related
to an incident or a crime
BRIEF
HISTORY OF
DIGITAL
FORENSICS
HISTORY OF DIGITAL FORENSICS (1/6)

 By the 1970s, electronic crimes were increasing, especially in the financial sector
 Most law enforcement officers didn’t know enough about computers to ask the right questions
 Or to preserve evidence for trial
 One-half cent crime

 1980s
 PCs gained popularity and different OSs emerged
 Disk Operating System (DOS) was available
 Forensics tools were simple, and most were generated by government agencies
HISTORY OF DIGITAL FORENSICS (2/6)

 Mid-1980s
 Xtree Gold appeared on the market
 Recognized file types and retrieved lost or deleted files
 Norton DiskEdit soon followed
 And became the best tool for finding deleted file

 1987
 Apple produced the Mac SE
 A Macintosh with an external EasyDrive hard disk with 60 MB of storage
HISTORY OF DIGITAL FORENSICS (3/6)
HISTORY OF DIGITAL FORENSICS (4/6)

 Early 1990s
 Tools for computer forensics were available
 International Association of Computer Investigative Specialists (IACIS)
 Training on software for forensics investigations
 IRS created search-warrant programs
 ExpertWitness for the Macintosh
 First commercial GUI software for computer forensics
 Created by ASR Data
HISTORY OF DIGITAL FORENSICS (156)

 Early 1990s (continued)

 ExpertWitness for the Macintosh
 Recovers deleted files and fragments of deleted files
 Later one partner of ASR left and developed EnCase
 Large hard disks posed problems for investigators
HISTORY OF DIGITAL FORENSICS (6/6)

 Now
 iLook
 Maintained by the IRS, limited to law enforcement
 Can analyze and read special files that are copies of the disk
 EnCase
 Available for public or private use
 AccessData Forensic Toolkit (FTK)
 Available for public or private use (Most Popular)
LAWS AND
RESOURCES
CASE LAW

 Technology is evolving at an exponential pace

 Existing laws and statutes can’t keep up change

 Case law used when statutes or regulations don’t exist

 Case law allows legal counsel to use previous cases similar to the current one
 Because the laws don’t yet exist

 Each case is evaluated on its own merit and issues

DEVELOPING DIGITAL FORENSICS RESOURCES

 You must know more than one computing platform

 Such as DOS, Windows 9x, Linux, Macintosh, and current Windows platforms/
Mobile OS’s

 Join as many computer user groups as you can

 Computer Technology Investigators Network (CTIN)

 Meets monthly to discuss problems that law enforcement and corporations face
PREPARING FOR
DIGITAL
INVESTIGATION
S
DIGITAL
INVESTIGATIONS (1/2)
 Digital investigations
and forensics falls into
two distinct categories
 Public investigations
 Private or corporate
investigations
DIGITAL INVESTIGATIONS (2/2)

 Private or corporate investigations

 Deal with private companies, non-law-enforcement
 Public investigations government agencies, and lawyers
 Aren’t governed directly by criminal law or Fourth
 Involve government agencies Amendment issues
responsible for criminal  Governed by internal policies that define expected

investigations and prosecution employee behavior and conduct in the workplace

 Organizations must observe legal

 Private corporate investigations also involve
guidelines litigation disputes

 Investigations are usually conducted in civil

cases
LAW
ENFORCEMENT
AGENCY
INVESTIGATION
S
UNDERSTANDING LAW ENFORCEMENT AGENCY
INVESTIGATIONS (1/4)

 In a criminal case, a suspect is tried for a criminal offense

 Such as burglary, murder, molestation or fraud
 Digital Involvement/Questions

 Computers and networks are sometimes only tools that can be used to commit
crimes
 Not different then lockpick in a burglar case
 Many states have added specific language to criminal codes to define crimes involving computers,
such as theft of computer data

 Following the legal process

FOLLOWING LEGAL
PROCESS (1/3)

 Legal processes depend

on local custom,
legislative standards,
and rules of evidence
 Criminal case follows
three stages
 The complaint, the
investigation, and
the prosecution
FOLLOWING LEGAL PROCESS (2/3)

 A criminal case begins when someone finds evidence of an illegal act

 Complainant makes an allegation, an accusation or supposition of fact
 A police officer interviews the complainant and writes a report about the crime
 Police blotter provides a record of clues to crimes that have been
committed previously
 Investigators delegate, collect, and process the information related to the
complaint
 After you build a case, the information is turned over to the prosecutor
 In a criminal case, if you have enough info to support a search warrant, the
attorney might ask you to submit an affidavit
FOLLOWING LEGAL PROCESS (3/3)

 Affidavit
 Sworn statement of support of facts about or evidence of a crime
 Submitted to a judge to request a search warrant
 Have the affidavit notarized under sworn oath

 Judge must approve and sign a search warrant

 Before you can use it to collect evidence
CORPORATE
INVESTIGATION
S
UNDERSTANDING PRIVATE SECTOR INVESTIGATIONS

 Private or corporate investigations

 Involve private companies and lawyers who address company policy violations and litigation
disputes

 Corporate computer crimes can involve:

 E-mail harassment
 Falsification of data
 Gender and age discrimination
 Embezzlement
 Sabotage
 Industrial espionage
HOW TO REDUCE THE RISK OF LITIGATION ? (1/5)

 Establishing company policies

 One way to avoid litigation is to publish and maintain policies that employees find
easy to read and follow

 Published company policies provide a line of authority

 For a business to conduct internal investigations

 Well-defined policies
 Give computer investigators and forensic examiners the authority to conduct an
investigation
HOW TO REDUCE THE
RISK OF LITIGATION ? (2/5)
 Displaying Warning Banners
 Another way to avoid litigation
 Warning banner
 Usually appears when a computer starts or
connects to the company intranet, network, or
virtual private network
 Informs end users that the organization
reserves the right to inspect computer systems
and network traffic at will
 Establishes the right to conduct an
investigation
 Removes expectation of privacy

 As a corporate computer investigator

 Make sure company displays well-defined
warning banner
HOW TO REDUCE THE RISK OF LITIGATION ? (3/5)

 Designating an authorized requester

 Authorized requester has the power to conduct investigations
 Policy should be defined by executive management
 Groups that should have direct authority to request computer investigations
 Corporate Security Investigations
 Corporate Ethics Office
 Corporate Equal Employment Opportunity Office
 Internal Auditing
 The general counsel or Legal Department
HOW TO REDUCE THE RISK OF LITIGATION ? (4/5)

 Conducting security investigations

 Types of situations
 Abuse or misuse of corporate assets
 E-mail abuse
 Internet abuse

 Be sure to distinguish between a company’s abuse problems and potential

criminal problems
HOW TO REDUCE THE RISK OF LITIGATION ? (5/5)

 Distinguishing personal and company property

 Many company policies distinguish between personal and company computer
property

 One area that’s difficult to distinguish involves PDAs, cell phones, and personal
notebook computers

 The safe policy is to not allow any personally owned devices to be connected to
company-owned resources
 Limiting the possibility of commingling personal and company data
PREPARING
DIGITAL
FORENSIC
INVESTIGATIO
N
SYSTEMATIC APPROACH
 When preparing a case, you can apply standard systems
analysis steps :
 Make an initial assessment about the type of case
you’re investigating
 Determine a preliminary design or approach to the
case
 Create a detailed checklist
 Determine the resources you need
 Obtain and copy an evidence drive
 Identify the risks
 Mitigate or minimize the risks
 Test the design
 Analyze and recover the digital evidence
 Investigate the data you recover
 Complete the case report
 Critique the case
EXAMPLE (DIGITAL
FORENSICS CASE 1)
Manager Steve Billings has been receiving
complaints from customers about the job
performance of one of his sales representatives,
George Montgomery. George has worked as a
representative for several years. He’s been absent
from work for two days but hasn’t called in sick or
told anyone why he wouldn’t be at work. Another
employee, Martha, is also missing and hasn’t
informed anyone of the reason for her absence.
Steve asks the IT Department to confiscate
George’s hard drive and all storage media in his
work area. He wants to know whether any
information on George’s computer and storage
media might offer a clue to his whereabouts and job
performance concerns. To help determine George’s
and Martha’s whereabouts, you must take a
systematic approach to examining and analyzing
the data found on George’s desk.
SOLUTION (DIGITAL FORENSICS CASE 1) (1/5)

 Assessing the case:

 Digital investigator talked to George’s co-workers
 Learned that George has been conducting a personal business on the side using company computers
 Focus of the case has shifted to include possible employee abuse of company resources
 He can begin assessing this case as follows:
 Situation—Employee abuse of resources.
 Nature of the case—Side business conducted on the company computer.
 Specifics of the case—The employee is reportedly conducting a side business on his company computer that
involves registering domain names for clients and setting up their Web sites at local ISPs. Co-workers have
complained that he’s been spending too much time on his own business and not performing his assigned work
duties. Company policy states that all company-owned digital assets are subject to inspection by company
management at any time. Employees have no expectation of privacy when operating company computer
systems.
 Type of evidence—Small-capacity USB drive connected to a company computer.
 Known disk format—NTFS.
 Location of evidence—One USB drive recovered from the employee’s assigned computer.
SOLUTION (DIGITAL FORENSICS CASE 1) (2/5)

Abuse of Company Looking for Employee was USB drive (from

Resources evidence conducting a side George’s
business using computer)
office resources

looking for any USB drive uses

information the NTFS file
related to Web system
sites, ISPs, or
domain names
SOLUTION (DIGITAL FORENSICS CASE 1) (3/5)

Reliable digital
 Now what does investigator need? forensic tool for:
• Duplicating USB
drive
• Finding deleted and
hidden files
SOLUTION (DIGITAL FORENSICS CASE 1) (4/5)

 Planning your investigation:

 Acquire the USB drive from the IT Department, which
bagged and tagged the evidence.
 Complete an evidence form and establish a chain of  Evidence custody form (chain-of-
custody.

evidence-form):
Transport the evidence to your digital forensics' lab.
  Single-evidence form
Place the evidence in an approved secure container.
 Prepare your forensic workstation.  Multi-evidence form
 Retrieve the evidence from the secure container.
 Make a forensic copy of the evidence drive (in this case,
the USB drive).
 Return the evidence drive to the secure container.
 Process the copied evidence drive with your digital
forensics' tools.
SINGLE-
EVIDENCE
FORM
MULTI-
EVIDENCE
FORM
SOLUTION (DIGITAL FORENSICS CASE 1) (5/5)

 Securing your evidence:

 You can use large evidence bags, tape, tags, labels, and other products available from police supply
vendors or office supply stores
 Use anti-static bags
 Place computer evidence in a well-padded container
 As a standard practice, you should write your initials on the tape before applying it to the evidence
 If you transport a computer, place new disks in disk drives to reduce possible drive damage while
you’re moving it
DATA
RECOVERY
WORKSTATIONS
AND SOFTWARE
FORENSIC WORKSTATION (1/2)

 It can use the following operating systems based on the needs:

 MS-DOS 6.22
 Windows 95, 98, or Me
 Windows NT 3.5 or 4.0
 Windows 2000, XP, Vista, 7, 8, or 10
 Linux
 Mac OS X and macOS
FORENSIC WORKSTATION (2/2)

 Following S/W and H/W is must required:

A write-blocker device
Digital forensics acquisition tool
Digital forensics analysis tool
A target drive to receive the source or suspect disk data
Spare PATA and SATA ports
USB ports

 Additional useful items include the following:

 Network interface card (NIC)
 Extra USB ports
 FireWire 400/800 ports
 SCSI card
 Disk editor tool
 Text editor tool
 Graphics viewer program
 Other specialized viewing tools
  Bit-by-bit copy (also known as a “forensic copy”)
 Process is usually referred to as “acquiring an image” or
“making an image”
 A bit-stream image is the file containing the bit-stream
copy of all data on a disk or disk partition

BIT STREAM
COPIES
ANALYZING DIGITAL EVIDENCE

 Disk may contain deleted files and fragments

 The files that were deleted are still on the disk until a new file is saved to the same
physical location, overwriting the original file
 In the meantime, those files can still be retrieved
 Forensics tools such as Autopsy can retrieve deleted files for use as evidence

https://sourceforge.net/projects/autopsy/files/autopsy/4.3.0/
COMPLETING THE CASE

 At the end of findings, a report needs to be generated

 Basic report writing involves answering the six Ws: who, what, when, where, why, and how
 You must also explain computer and network processes
 Some digital forensics tools also generate a log file of all actions taken during your
examination and analysis
READING REFERENCE
MATERIAL

FUNDAMENTALS OF DIGITAL FORENSICS

THEORY, METHODS AND REAL-LIFE APPLICATIONS
2ND EDITION
CHAPTER # 1, 2
 ANALYZE GEORGE
MONTGOMERY’S USB
DRIVE.
THE FIRST TASK IS TO
CONFIGURE AUTOPSY
FOR A NEW CASE AND
ANALYZE THE IMAGE
FILE OF GEORGE

LAB TASK MONTGOMERY’S USB

DRIVE