1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence Preserving Evidence Analysis of Digital Evidence Analysis of Digital Evidence Writing Investigative Reports Writing Investigative Reports Proven Security Protocols and Best Practices Proven Security Protocols and Best Practices

2J. M. Kizza - Ethical And Social Issues Introduction Computer forensics – (Computer Crime Investigation) as is the application of forensic science investigative techniques to computer-based material used as evidence. Computer forensics – (Computer Crime Investigation) as is the application of forensic science investigative techniques to computer-based material used as evidence. The search technique helps to reconstruct a sequence of activities of what happened. The search technique helps to reconstruct a sequence of activities of what happened. The investigation process involves the extraction, documentation, examination, preservation, analysis, evaluation, and interpretation of computer-based material to provide relevant and valid information as evidence in civil, criminal, administrative, and other cases The investigation process involves the extraction, documentation, examination, preservation, analysis, evaluation, and interpretation of computer-based material to provide relevant and valid information as evidence in civil, criminal, administrative, and other cases

3J. M. Kizza - Ethical And Social Issues Digital Evidence Evidence is something tangible needed to prove a fact. Evidence is something tangible needed to prove a fact. Tangible evidence to prove a claim or an assertion can be from one of following sources: Tangible evidence to prove a claim or an assertion can be from one of following sources: From an eye witness who provides a testimony From an eye witness who provides a testimony From physical evidence as traces of the sequence of activities leading to the claim or assertion. From physical evidence as traces of the sequence of activities leading to the claim or assertion. Digital evidence as digital footprints of the digital sequence of activities leading to the claim or assertion. Digital evidence as digital footprints of the digital sequence of activities leading to the claim or assertion. Digital evidence is digital footprints left after every digital activity form a cybertrail Digital evidence is digital footprints left after every digital activity form a cybertrail

4J. M. Kizza - Ethical And Social Issues Looking for Digital Evidence Looking for digital evidence is difficulty and is comparable to searching for bits of evidence data from a haystack. Looking for digital evidence is difficulty and is comparable to searching for bits of evidence data from a haystack. The evidence usually sought includes binary data fixed in any medium such as on CDs, memory, and floppies, residues of things used in the committing of a crime and physical materials such as folders, letters, and scraps of papers. The evidence usually sought includes binary data fixed in any medium such as on CDs, memory, and floppies, residues of things used in the committing of a crime and physical materials such as folders, letters, and scraps of papers. At the start of the investigation, the examiner must decide on things to work with like written and technical policies, permissions, billing statements, and system application and device logs. At the start of the investigation, the examiner must decide on things to work with like written and technical policies, permissions, billing statements, and system application and device logs. Also decide early on what to monitor, if this is needed. This may include employer and employee computing activities, Internet , and chat rooms. Also decide early on what to monitor, if this is needed. This may include employer and employee computing activities, Internet , and chat rooms.

5J. M. Kizza - Ethical And Social Issues Digital Evidence Previewing and Acquisition Dealing with digital evidence requires a lot of care because it is very volatile. The two processes previewing and acquiring of data may disturb the data evidence to a point of changing its status, thus creating doubt to its credibility. Dealing with digital evidence requires a lot of care because it is very volatile. The two processes previewing and acquiring of data may disturb the data evidence to a point of changing its status, thus creating doubt to its credibility. To make sure that this does not happen, a strict sequence of steps must be followed in handling the evidence. To make sure that this does not happen, a strict sequence of steps must be followed in handling the evidence.

6J. M. Kizza - Ethical And Social Issues Handling Evidence – through tracing the sequence of events by looking for answers the following questions: Handling Evidence – through tracing the sequence of events by looking for answers the following questions: Who extracted the evidence, how, and when? Who extracted the evidence, how, and when? Who packaged it and when? Who packaged it and when? Who stored it, how, when and where? Who stored it, how, when and where? Who transported it, where and when? Who transported it, where and when? Previewing Image Files - allows the investigator to view the evidence media in order to determine if a full investigation is warranted. Previewing Image Files - allows the investigator to view the evidence media in order to determine if a full investigation is warranted. Evidence Acquisition is the process of evidence extraction Evidence Acquisition is the process of evidence extraction

7J. M. Kizza - Ethical And Social Issues Preserving Evidence Given that digital evidence is very fluid in that it can disappear or change so fast, extra care must be taken in preserving digital evidence. Given that digital evidence is very fluid in that it can disappear or change so fast, extra care must be taken in preserving digital evidence. One way of preserving evidence is to strictly follow the following procedures: One way of preserving evidence is to strictly follow the following procedures: secure the evidence scene from all parties that have no relevancy to it. This is to avoid contamination usually from deposit of hairs, fibers or trace material from clothing, footwear or fingerprints. secure the evidence scene from all parties that have no relevancy to it. This is to avoid contamination usually from deposit of hairs, fibers or trace material from clothing, footwear or fingerprints. Securely catalog and package evidence in strong anti-static, well-padded, and labelled evidence bags. Securely catalog and package evidence in strong anti-static, well-padded, and labelled evidence bags. Image all suspected media as evidence to create a back up. Try to make several copies of each evidence item. Image all suspected media as evidence to create a back up. Try to make several copies of each evidence item. Make a checksums of the original evidence disk before and after each copy. After imaging, the two checksums must agree. Make a checksums of the original evidence disk before and after each copy. After imaging, the two checksums must agree. Institute a good security access control system to make sure that those handling the evidence are the only ones authorized to handle the evidence. Institute a good security access control system to make sure that those handling the evidence are the only ones authorized to handle the evidence. Secure the evidence by encryption, where and if possible. Encryption ensures the confidentiality of the evidence. Secure the evidence by encryption, where and if possible. Encryption ensures the confidentiality of the evidence.

8J. M. Kizza - Ethical And Social Issues Two common network configuration models - the centralized and distributed Two common network configuration models - the centralized and distributed Computer networks- centralized or distributed, come in different sizes depending on the number of computers and other devices the network has. Computer networks- centralized or distributed, come in different sizes depending on the number of computers and other devices the network has. The number of devices, computers or otherwise, in a network and the geographical area covered by the network determine the network type: The number of devices, computers or otherwise, in a network and the geographical area covered by the network determine the network type: Local Area Network (LAN) Local Area Network (LAN) Wide Area Networks (WANs) Wide Area Networks (WANs) Metropolitan Area Networks (MANs) Metropolitan Area Networks (MANs)

9J. M. Kizza - Ethical And Social Issues Analysis of Digital Evidence Evidence analysis is the most difficult and demanding task for investigators Evidence analysis is the most difficult and demanding task for investigators It involves: It involves: Analyzing Data Files Analyzing Data Files File Directory Structure File Directory Structure File Patterns File Patterns Metadata Metadata Content Content Application Application User Configuration User Configuration

10J. M. Kizza - Ethical And Social Issues Analysis Based on Digital Media Analysis Based on Digital Media Deleted Files Deleted Files 2 Hidden Files 2 Hidden Files Slack Space Slack Space Bad Blocks Bad Blocks Steganography Utilities Steganography Utilities Compressed and Coded Files Compressed and Coded Files Encrypted Files Encrypted Files Password-Protected Files Password-Protected Files Analysis Based on Operating Systems Analysis Based on Operating Systems Microsoft–Based File Systems Microsoft–Based File Systems UNIX and LINUX File Systems UNIX and LINUX File Systems Macintosh File System Macintosh File System

11J. M. Kizza - Ethical And Social Issues Relevance and Validity of Digital Evidence There a need to establish relevancy of the evidence. There a need to establish relevancy of the evidence. The relevancy of the digital evidence depends on; The relevancy of the digital evidence depends on; the requesting agency, the requesting agency, nature of the request, nature of the request, type of the case in question. type of the case in question. The question of validity of data is tied up with the relevance of data. The question of validity of data is tied up with the relevance of data. It is also based on the process of authentication of that data. It is also based on the process of authentication of that data.

12J. M. Kizza - Ethical And Social Issues Writing Investigative Reports A report is a summary of all findings of the investigation and it comes from all the documentation that has been made throughout the investigation. A report is a summary of all findings of the investigation and it comes from all the documentation that has been made throughout the investigation. Report should include the following documents[4]: Report should include the following documents[4]: All notes taken during meetings and contacts that led to the investigation All notes taken during meetings and contacts that led to the investigation All forms used in the investigation including the chain of custody forms All forms used in the investigation including the chain of custody forms Copies of search warrants and legal authority notes granting permission to conduct searches Copies of search warrants and legal authority notes granting permission to conduct searches Notes, video recordings, and pictures taken at the incident scene describing the scene Notes, video recordings, and pictures taken at the incident scene describing the scene Notes and any documentation made to describe the computer components including description of peripherals and all devices. Notes and any documentation made to describe the computer components including description of peripherals and all devices.

13J. M. Kizza - Ethical And Social Issues Documentation and notes describing the networking of suspect’s devices Documentation and notes describing the networking of suspect’s devices Notes made on what was discovered including passwords, pass phrases, encryption and any data hiding. Notes made on what was discovered including passwords, pass phrases, encryption and any data hiding. Any changes to the suspect’s scene configuration authorized or not. Any changes to the suspect’s scene configuration authorized or not. Names of everyone at the suspect’s scene Names of everyone at the suspect’s scene Procedures used to deal with the scene including acquisition, extraction, and analysis of evidence. Procedures used to deal with the scene including acquisition, extraction, and analysis of evidence. Any observed or suspected irregularities including those outside the scope of the techniques in use. Any observed or suspected irregularities including those outside the scope of the techniques in use.