Presentation is loading. Please wait.

Presentation is loading. Please wait.

BACS 371 Computer Forensics

Published byVirgil Owens Modified over 9 years ago

Similar presentations

Presentation on theme: "BACS 371 Computer Forensics"— Presentation transcript:

1 BACS 371 Computer Forensics
Overview of a Digital Investigation

2 Introduction Successful forensic analysts follow a predefined pattern of activities when performing an investigation. These patterns (or “models”) are designed to ensure that: All necessary steps are completed in the proper order All activities are performed in a legal manner Analysis is performed to generate admissible evidence Adequate documentation is collected to ensure the creation of a robust case It is extremely important that everything be “legal” and that all steps are documented. Failure to do this can endanger the case because the other side’s attorney can raise doubt and cause the evidence to be inadmissible.

3 Investigation Model There are several investigation models available. A popular one is the 6-step Casey model. Identification / Assessment Collection / Acquisition Preservation Examination Analysis Reporting

4 6-Step Casey Model

5 Identification / Assessment
Define the scope and likely venue of the examination Collect all legal documentation needed Get any permissions required for resources not covered by warrants Identify the tools required Identify the personnel needed Identify the stakeholders In other words, determine the “lay of the land” of the case. Prior to accepting the case, you need to decide if you are qualified to handle it (scope and examination expertise).

6 Identification / Assessment
For internal investigations you will need a signed letter of agreement outlining the scope of the investigation along with contractual details. For Civil investigations you will need a court order or subpoena prior to starting. For Criminal investigations you will need a warrant. Once this is in place, determine the likely sources of evidence for the case. If you are working a criminal case, you will most likely have been hired by a government agency. They will have their own processes and procedures to adhere to in addition to the legal documents mentioned in the slide. As a general rule, always assume that the case will go to trial. That way you will have all the needed documentation and procedures in place to build a strong case.

7 Collection / Acquisition
Collection Methods must assure: Data is authentic Sources of data are reliable Nothing was modified throughout the process All tools used are valid Personnel are qualified to do their jobs Enough evidence exists to prove a point Conclusions are valid

8 Collection / Acquisition
When collecting digital media, remember all issues of legal “search & seizure”. If the device runs on batteries, be sure to place it in a Faraday bag with an additional power source. In a “live acquisition”, use proper procedures to capture data on-site. Utilize “best practices” procedures to ensure that the physical devices are not compromised. Maintain (and document) a clean chain of custody. Document all steps taken to collect the devices from the initial contact through arrival at the forensic lab.

9 Preservation Use dependable, court recognized tools to image (i.e., collect) the data from the source media. NEVER work on original data sources. Target media for copies must be uncontaminated. Authenticate that the copy is identical to the original (i.e., hash values). Make a 2nd copy. Store the original and the 2nd copy in a secure location where you can control access. Maintain a thorough chain of custody. If live acquisition was used, then you will already have some data (e.g., RAM, PAGE file, network logs, …) preserved. You will likely still have to do an image of the device once it is turned off. Chain of custody is a full record of how the evidence was handled and who had access. Gaps in the C of C are an open invitation to making the evidence inadmissible.

10 Examination Look through your data image for overt evidence. For example, pictures, documents, spreadsheets, etc. that could be evidence. Look for evidence that the system may have hidden. Look for evidence that the user may have deleted, but is still recoverable. Look for evidence of anti-forensic techniques being employed. For example, encryption, ADS, hidden partitions, etc. Use court recognized tools whenever possible.

11 Analysis Based on your knowledge of the case, decide what evidence is material to the case. Using whatever forensic tools you deem necessary, locate and extract all material evidence (both inculpatory and exculpatory). If appropriate, build a timeline of activity. Document all your findings as you go so that you can write your final report easier. Inculpatory – supports the hypothesis of the case Exculpatory – does not support the hypothesis of the case

12 Reporting Using the extremely detailed documentation that you have collected so far…… Begin writing the report in a standard format appropriate for the audience. Fully explain all evidence that was retrieved. Fully explain any problems or discrepancies encountered during your analysis. Do not make any assertions of innocence or guilt. Just present the facts as you found them. Remember, you are to be completely objective.

13 Importance of “Best Practices”
Formal investigative models and “best practices” are used in forensics to counter the opposition’s argument that the evidence is inadmissible. Even if your methods are flawless, it is the job of the opposing attorney to cast doubt on your findings. Using standard, well-accepted procedures and best practices minimizes the chance that the opposition’s arguments will be accepted. Not using them is an open invitation to problems at the trial.

14 Importance of Documentation
The work product of your analysis is the documentation. Without good documentation, you can not present a robust case. 5 levels of documentation are needed: General case documentation Procedural documentation Process documentation Case timeline Evidence chain of custody Some of these levels are easier to maintain than others. For example, the chain of custody documentation is usually a signed form with indications as to who had access to the digital device.

15 General Case Documentation
Contact information for everyone involved First response documentation Notes Photographs Videos All legal authorizations

16 Procedural Documentation
Every task that was performed related to the investigation (not process) Summary of events List of equipment seized What steps were taken and what tools were used Detailed analysis of the data

17 Process Documentation
User manuals Installation manuals README files Update history logs Results of testing

18 Case Timeline Case timeline Procedural timeline
Systematic analysis of what transpired Times and dates of related events MAC data of files involved Procedural timeline Detailed list of steps taken Times and dates each step began and ended “MAC data” is the Modified, Accessed, and Create timestamps. The term is not specifically related to Apple computers.

19 Chain of Custody Begins when evidentiary materials are first seized
Time and date taken From whom and where Complete description of each item Every time an item changes hands, time, date and people involved (get signatures) There can be no gaps in history

20 Summary You should use a generally-accepted investigation model along with forensic best practices. The model will help you perform all the steps in the proper order and will defuse the opposing attorney’s claims that your evidence is inadmissible. The forensic report is really the only deliverable of your work. You need meticulous documentation to create a professional forensic report.

Download ppt "BACS 371 Computer Forensics"

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Computer Forensics.

Computer Forensics.
Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.

Intro to Computer Forensics CSC 485/585. Objectives  Understand the roles and responsibilities of a computer forensic examiner.  Understand the “Safety.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer Forensics Principles and Practices

Computer Forensics Principles and Practices
IS Audit Function Knowledge

IS Audit Function Knowledge
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Computer Forensics BACS 371

Computer Forensics BACS 371
Computer Forensics BACS 371

Computer Forensics BACS 371
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition

Similar presentations

Ads by Google