Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition

Published byMarjorie Stephens Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition"— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition
Open (slide 4) Chapter 2 Understanding Computer Investigation

2 Guide to Computer Forensics and Investigations, 2e
Objectives Prepare a case Begin an investigation Understand computer forensics workstations and software Conduct an investigation Complete a case Critique a case Guide to Computer Forensics and Investigations, 2e

3 Preparing a Computer Investigation
Role of computer forensics professional: gather evidence to prove a suspect committed a crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect’s computer Preserve the evidence on a different computer In my opinion, a professional investigator, including a computer forensics professional is there to gather evidence and facts, then draw a conclusion. Drawing a conclusion first prejudicies an investigation. According to Sherlock Holmes: It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts. (A Scandal in Bohemia It is a capital mistake to theorize in advance of the facts. (The Adventure of the Second Stain It is a capital mistake to theorize before you have all the evidence. It biases the judgment. (A Study in Scarlet Guide to Computer Forensics and Investigations, 2e

4 Preparing a Computer Investigation (continued)
Follow an accepted procedure to prepare a case Chain of custody Route the evidence takes from the time you find it until the case is closed or goes to court US DOJ Search and Seizure Guide Chain of custody is usually proven by a written document that shows the handling of evidence from collection at the scene through presentation as evidence at a trial. Guide to Computer Forensics and Investigations, 2e

5 Examining a Computer Crime
Computers can contain information that helps law enforcement determine: Chain of events leading to a crime Evidence that can lead to a conviction Law enforcement officers should follow proper procedure when acquiring the evidence Digital evidence can be easily altered by an overeager investigator Guide to Computer Forensics and Investigations, 2e

6 Examining a Computer Crime (continued)
Guide to Computer Forensics and Investigations, 2e

7 Examining a Company Policy Violation
Employees misusing resources can cost companies millions of dollars Misuse includes: Surfing the Internet Sending personal s Using company computers for personal tasks Waste of company time by not working during paid hours. Misusing resources like bandwidth, equipment, etc. Guide to Computer Forensics and Investigations, 2e

8 Taking a Systematic Approach
Steps for problem solving: Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach to the case Create a detailed design Determine the resources you need Obtain and copy an evidence disk drive Initial assessment – Has law enforcement or internal security become involved or seized property or evidence? Was the computer used to commit a crime or does it contain evidence of a crime? Preliminary design or approach – Outline the general steps you will use to investigate the case. Detailed design – Refine the general outline to include time estimates for each step. Resources – Hardware, software, tools or other items needed. Make a copy – The copy must be a forensic copy and able to be verified through CRC, etc. to be an exact copy of the original. DO NOT WORK ON THE ORIGINAL! Guide to Computer Forensics and Investigations, 2e

9 Taking a Systematic Approach (continued)
Steps for problem solving (continued): Identify the risks Mitigate or minimize the risks Test the design Analyze and recover the digital evidence Investigate the data you recovered Complete the case report Critique the case Identify risks - Include the standard risks, such as the book’s example of a knowledgeable computer user setting up programs designed to execute and destroy evidence if a password is changed or incorrectly entered. Mitigate or minimize risks – As the book points out, make multiple copies of the original if you suspect a self-destruct mechanism may be in place. Test the design – Review the plan and steps already completed. Verify the copy (if made) using hash values, CRC, etc. Analyze and recover evidence – Using the plan and tools specified, begin examining the copies of data drives. Investigate recovered data – View and interpret the data recovered. Guide to Computer Forensics and Investigations, 2e

10 Guide to Computer Forensics and Investigations, 2e
Assessing the Case Systematically outline the case details: Situation Nature of the case Specifics about the case Type of evidence OS Known disk format Location of evidence Type of evidence – Specific media specifications Guide to Computer Forensics and Investigations, 2e

11 Assessing the Case (continued)
Based on case details, you can determine the case requirements: Type of evidence Computer forensics tools Special OSs Guide to Computer Forensics and Investigations, 2e

12 Planning your Investigation
A basic investigation plan should include the following activities: Acquire the evidence Complete an evidence form and establish a chain of custody Transport evidence to a computer forensics lab Secure evidence in an approved secure container Evidence form examples are on later slides. Guide to Computer Forensics and Investigations, 2e

13 Planning your Investigation (continued)
A basic investigation plan (continued): Prepare a forensics workstation Obtain the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools Guide to Computer Forensics and Investigations, 2e

14 Planning your Investigation (continued)
An evidence custody form helps you document what has been done with the original evidence and its forensics copies There are two types: Single-evidence form Multi-evidence form Guide to Computer Forensics and Investigations, 2e

15 Planning your Investigation (continued)
Guide to Computer Forensics and Investigations, 2e

16 Planning your Investigation (continued)
A single item form is more flexible if multiple pieces of evidence are acquired but not necessarily treated as a single unit. For example, there may be multiple items with each being sent to a different lab. Guide to Computer Forensics and Investigations, 2e

17 Securing your Evidence
Use evidence bags to secure and catalog the evidence Use computer safe products Antistatic bags Antistatic pads Use well-padded containers Guide to Computer Forensics and Investigations, 2e

18 Securing your Evidence (continued)
Use evidence tape to seal all openings Floppy disk or CD drives Power supply electrical cord Write your initials on tape to prove that evidence has not been tampered Consider computer-specific temperature and humidity ranges These procedures not only safeguard the evidence, it helps establish the integrity of the items. As the book suggests, if a PC is taken as evidence you should use evidence tape to cover drive openings, power cord connection points, usb ports, etc. to show that nothing has been plugged in since the PC was acquired. Guide to Computer Forensics and Investigations, 2e

19 Understanding Data-Recovery Workstations and Software
Investigations are conducted in a computer forensics lab (or data-recovery lab) Computer forensics and data-recovery are related but different Computer forensics workstation Specially configured personal computer To avoid altering the evidence, use: Forensics boot floppy disk Write-blockers devices Data recovery is concerned only with retrieving lost or damaged data and the location, source and types may be known in advance. Computer forensics are usually performed to locate and discover evidence and requires a sterile environment and copies of the source to insure that the copy is a true representation of the original. Guide to Computer Forensics and Investigations, 2e

20 Setting Up your Workstation for Computer Forensics
Set up Windows 98 workstation to boot into MS-DOS Display a Startup menu Modify Msdos.sys file using any text editor Install a computer forensics tool DriveSpy and Image Windows XP and 2000 can boot into a command prompt, but not to a DOS system. As booting in Windows changes file’s date/time stamps, last accessed time, contents, log files, etc. you should boot using an external source such as a floppy, CD or USB drive. Guide to Computer Forensics and Investigations, 2e

21 Setting Up your Workstation for Computer Forensics (continued)
Guide to Computer Forensics and Investigations, 2e

22 Setting Up your Workstation for Computer Forensics (continued)
Guide to Computer Forensics and Investigations, 2e

23 Conducting an Investigation
Begin by copying the evidence using a variety of methods Recall that no single method retrieves all data The more methods you use, the better Simply copying files isn’t enough. You won’t get deleted files, left over fragments, etc. Guide to Computer Forensics and Investigations, 2e

24 Gathering the Evidence
Take all necessary measures to avoid damaging the evidence Place the evidence in a secure container Complete the evidence custody form Transport the evidence to the computer forensics lab Create forensics copies (if possible) Secure evidence by locking the container Guide to Computer Forensics and Investigations, 2e

25 Understanding Bit-stream Copies
Bit-by-bit copy of the original storage medium Exact copy of the original disk Different from a simple backup copy Backup software only copy known files Backup software cannot copy deleted files or messages, or recover file fragments Guide to Computer Forensics and Investigations, 2e

26 Understanding Bit-stream Copies (continued)
A bit-stream image file contains the bit-stream copy of all data on a disk or partition Preferable to copy the image file to a target disk that matches the original disk’s manufacturer, size, and model Guide to Computer Forensics and Investigations, 2e

27 Understanding Bit-stream Copies (continued)
Chapter 9 discusses some of the tools in more detail. Guide to Computer Forensics and Investigations, 2e

28 Creating a Forensic Boot Floppy Disk
Goal is not to alter the original data on a disk Preferred way to preserve the original data is to never examine it Make forensic copies Create a special boot floppy disk that prevents OS from altering the data when the computer starts up Windows 9x can also alter other files, especially if DriveSpace is implemented on a file allocation table (FAT) 16 disk Guide to Computer Forensics and Investigations, 2e

29 Assembling the Tools for a Forensic Boot Floppy Disk
Disk editor such as Norton Disk Edit or Hex Workshop Floppy disk MS-DOS OS Computer that can boot to a true MS-DOS level Forensics acquisition tool Write-block tool Guide to Computer Forensics and Investigations, 2e

30 Assembling the Tools for a Forensic Boot Floppy Disk (continued)
Steps: Make the floppy disk bootable Update the OS files to remove any reference to the hard disk (using Hex Workshop or Norton Disk Edit) Modify the command.com file on the floppy disk Modify the io.sys file on the floppy disk Add computer forensic tools Test your floppy disk Create several backup copies Open command.com in a hex editor and change all references from c:\ to a:\. Guide to Computer Forensics and Investigations, 2e

31 Assembling the Tools for a Forensic Boot Floppy Disk (continued)
Open io.sys in a hex editor and change all references from c:\ to a:\. Replace .bin with .zzz to remove any references to the DriveSpace utility. The floppy is now safe to use as a boot disk for forensic use. Guide to Computer Forensics and Investigations, 2e

32 Retrieving Evidence Data Using a Remote Network Connection
Bit-stream image copies can also be retrieved from a workstation’s network connection Software: SnapBack EnCase R-Tools Can be a time-consuming process even with a 1000-Mb connection It takes less time using a NIC-to-NIC connection A NIC-to-NIC connection requires a twisted pair network cable. Guide to Computer Forensics and Investigations, 2e

33 Copying the Evidence Disk
A forensic copy is an exact duplicate of the original data Create a forensic copy using: MS-DOS Specialized tool such as Digital Intelligence’s Image First, create a bit-stream image Then, copy the image to a target disk Guide to Computer Forensics and Investigations, 2e

34 Creating a Bit-stream Image with FTK Imager
Start Forensic Toolkit (FTK) Imager by double-clicking the icon on your desktop Click File, Image Drive from the menu; insert floppy disk labeled “Domain Name working copy #2” In the dialog box that opens, click the A: drive to select a local drive, then click OK Guide to Computer Forensics and Investigations, 2e

35 Creating a Bit-stream Image with FTK Imager (continued)
A wizard walks you through the steps Accept all the defaults Specify the destination folder If necessary, create a folder called Forensics Files Name the file Bootimage.1 Guide to Computer Forensics and Investigations, 2e

36 Analyzing Your Digital Evidence
Your job is to recover data from: Deleted files File fragments Complete files Deleted files linger on the disk until new data is saved on the same physical location Tools: Digital Intelligence’s DriveSpy AccessData’s FTK Guide to Computer Forensics and Investigations, 2e

37 Analyzing Your Digital Evidence (continued)
DriveSpy is a powerful tool that recovers and analyzes data on FAT12, FAT16, and FAT32 disks Can search for altered files and keywords FTK is an easy-to-use GUI application for FAT12, FAT16, FAT32, and new technology file system (NTFS) disks FTK Imager Registry Viewer Password Recovery Toolkit Guide to Computer Forensics and Investigations, 2e

38 Analyzing Your Digital Evidence (continued)
Guide to Computer Forensics and Investigations, 2e

39 Analyzing Your Digital Evidence (continued)
Guide to Computer Forensics and Investigations, 2e

40 Guide to Computer Forensics and Investigations, 2e
Completing the Case You need to produce a final report State what you did and what you found You can even include logs from the forensic tools you used If required, use a report template The report should show conclusive evidence that the suspect did or did not commit a crime or violate a company policy The report format and contents may be prescribed by policy or legal requirements and rules of evidence. Your results must also be exactly reproducable to be valid. Guide to Computer Forensics and Investigations, 2e

41 Guide to Computer Forensics and Investigations, 2e
Critiquing the Case Ask yourself the following questions: How could you improve your participation in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? Guide to Computer Forensics and Investigations, 2e

42 Critiquing the Case (continued)
Questions continued: What feedback has been received from the requesting source? Did you discover any new problems? What are they? Did you use new techniques during the case or during research? Guide to Computer Forensics and Investigations, 2e

43 Guide to Computer Forensics and Investigations, 2e
Summary Use a systematic approach to investigations Plan a case by taking into account: Nature of the case Case requirements Gathering evidence techniques Do not forget that every case can go to court Apply standard problem-solving techniques Guide to Computer Forensics and Investigations, 2e

44 Guide to Computer Forensics and Investigations, 2e
Summary (continued) Keep track of the chain of custody of your evidence Create bit-stream copies of the original data Use the duplicates whenever possible Some tools: DriveSpy and Image, FTK, MS-DOS commands Produce a final report detailing what you did and found Guide to Computer Forensics and Investigations, 2e

45 Guide to Computer Forensics and Investigations, 2e
Summary (continued) Always critique your work as a way of improving it Apply these lessons to future cases Guide to Computer Forensics and Investigations, 2e

46 Questions & Discussion
Guide to Computer Forensics and Investigations, 2e

Download ppt "Guide to Computer Forensics and Investigations, Second Edition"

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Chapter 3 Understanding the Boot Process and Command Line.

Chapter 3 Understanding the Boot Process and Command Line.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Computer & Network Forensics

Computer & Network Forensics
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.

COS 413 DAY 2. Agenda Questions? Assignment 1 due next class Finish Discussion on Preparing for Computing Investigations Begin Discussion on Understanding.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.

11 INSTALLING WINDOWS XP Chapter 2. Chapter 2: Installing Windows XP2 INSTALLING WINDOWS XP  Prepare a computer for the installation of Microsoft Windows.
1 Web Server Administration Chapter 3 Installing the Server.

1 Web Server Administration Chapter 3 Installing the Server.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.

Hands-On Microsoft Windows Server 2003 Chapter 2 Installing Windows Server 2003, Standard Edition.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
COS/PSA 413 Day 2. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Begin.

COS/PSA 413 Day 2. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Begin.

Similar presentations

Ads by Google