Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Computer Forensics and Investigations, Second Edition

Published byMuriel Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Computer Forensics and Investigations, Second Edition"— Presentation transcript:

1 Guide to Computer Forensics and Investigations, Second Edition
Chapter 5 Processing Crime and Incident Scenes

2 Guide to Computer Forensics and Investigations, 2e
Objectives Collect evidence in private-sector incident scenes Process law enforcement crime scenes Prepare for a search Guide to Computer Forensics and Investigations, 2e

3 Objectives (continued)
Secure a computer incident or crime scene Seize digital evidence at the scene Review a case using three different computer forensics tools Guide to Computer Forensics and Investigations, 2e

4 Collecting Evidence in Private-Sector Incident Scenes
Freedom of Information Act (FOIA) States public records are open and available for inspection Citizens can request public documents created by federal agencies Homeland Security Act Patriot Act Guide to Computer Forensics and Investigations, 2e

5 Collecting Evidence in Private-Sector Incident Scenes (continued)
Corporate environment is much easier than criminal environment Employees’ expectation of privacy Create and publish a privacy policy Use warning banners State when an investigation can be initiated Reasonable suspicion Guide to Computer Forensics and Investigations, 2e

6 Collecting Evidence in Private-Sector Incident Scenes (continued)
Guide to Computer Forensics and Investigations, 2e

7 Collecting Evidence in Private-Sector Incident Scenes (continued)
Avoid becoming a law enforcement agent Check with your corporate attorney on how to proceed Commingled data Warrants Subpoena Civil liability Guide to Computer Forensics and Investigations, 2e

8 Processing Law Enforcement Crime Scenes
Criminal rules of search and seizure Probable cause Specific crime was committed Evidence exists Place to be searched includes evidence Warrant Witness Guide to Computer Forensics and Investigations, 2e

9 Processing Law Enforcement Crime Scenes (continued)
Guide to Computer Forensics and Investigations, 2e

10 Understanding Concepts and Terms Used in Warrants
Innocent information Unrelated information Limiting phrase Separate innocent information from evidence Plain view doctrine Searched area can be extended Knock and announce Guide to Computer Forensics and Investigations, 2e

11 Guide to Computer Forensics and Investigations, 2e
Preparing for a Search Most important step in computing investigations Steps: Identifying the nature of the case Identifying the type of computer system Determining whether you can seize a computer Obtaining a detailed description of the location Guide to Computer Forensics and Investigations, 2e

12 Preparing for a Search (continued)
Steps (continued): Determining who is in charge Using additional technical expertise Determining the tools you need Preparing the investigation team Guide to Computer Forensics and Investigations, 2e

13 Identifying the Nature of the Case
Private or public Dictates: How you proceed Resources needed during the investigation Guide to Computer Forensics and Investigations, 2e

14 Identifying the Type of Computing System
Size of the disk drive Number of computers at the crime scene OSs Specific details about the hardware Easier to do in a controlled environment, such as a corporation Guide to Computer Forensics and Investigations, 2e

15 Determining Whether You Can Seize a Computer
Ideal situation Seize computers and take them to your lab Not always possible Need a warrant Consider using portable resources Guide to Computer Forensics and Investigations, 2e

16 Obtaining a Detailed Description of the Location
Get as much information as you can Identify potential hazards Interact with your HAZMAT team HAZMAT guidelines Protect your target disk before using it Check for high temperatures Guide to Computer Forensics and Investigations, 2e

17 Determining Who Is in Charge
Corporate computing investigations require only one person to respond Law enforcement agencies: Handle large-scale investigations Designate leader investigators Guide to Computer Forensics and Investigations, 2e

18 Using Additional Technical Expertise
Look for specialists OSs RAID servers Databases Can be hard Educate specialists in proper investigative techniques Prevent evidence damage Guide to Computer Forensics and Investigations, 2e

19 Determining the Tools You Need
Prepare your tools using incident and crime scene information Initial-response field kit Lightweight Easy to transport Extensive-response field kit Includes all tools you can afford Guide to Computer Forensics and Investigations, 2e

20 Determining the Tools You Need (continued)
Guide to Computer Forensics and Investigations, 2e

21 Determining the Tools You Need (continued)
Guide to Computer Forensics and Investigations, 2e

22 Preparing the Investigation Team
Review facts, plans, and objectives Coordinate an action plan with your team Collect evidence Secure evidence Slow response can cause digital evidence lost Guide to Computer Forensics and Investigations, 2e

23 Securing a Computer Incident or Crime Scene
Preserve the evidence Keep information confidential Define a secure perimeter Use yellow barrier tape Legal authority Professional curiosity Can destroy evidence Guide to Computer Forensics and Investigations, 2e

24 Seizing Digital Evidence at the Scene
Law enforcement can seize evidence with a proper warrant Corporate investigators rarely can seize evidence U.S. DoJ standards for seizing digital data Civil investigations follow same rules Require less documentation, though Consult with your attorney for extra guidelines Guide to Computer Forensics and Investigations, 2e

25 Processing a Major Incident or Crime Scene
Guidelines Keep a journal Secure the scene Be professional and courteous with onlookers Remove people who are not part of the investigation Video record the computer area Pay attention to details Guide to Computer Forensics and Investigations, 2e

26 Processing a Major Incident or Crime Scene (continued)
Guidelines (continued) Sketch the incident or crime scene Check computers as soon as possible Save data from current applications as safe as possible Make notes of everything you do when copying data from a live suspect computer Close applications and shutdown the computer Guide to Computer Forensics and Investigations, 2e

27 Processing a Major Incident or Crime Scene (continued)
Guidelines (continued) Look for information related to the investigation Passwords, passphrases, PINs, bank accounts Collect documentation and media related to the investigation Hardware, software, backup media Guide to Computer Forensics and Investigations, 2e

28 Processing Data Centers with an Array of RAIDs
Sparse evidence file recovery Extracts only data related to evidence for your case from allocated files Minimizes how much data you need to analyze Doesn’t recover residual data in free or slack space If you have a computer forensics tool that accesses the unallocated space on a RAID system, work it on a test system first to make sure it doesn’t corrupt the RAID computer Guide to Computer Forensics and Investigations, 2e

29 Using a Technical Advisor at an Incident or Crime Scene
Technical specialists Responsibilities: Know aspects of the seized system Is direct investigator handling sensitive material Help securing the scene Help document the planning strategy Conduct ad hoc trainings Document activities Guide to Computer Forensics and Investigations, 2e

30 Sample Civil Investigation
Recover specific evidence Suspect’s Outlook folder (PST file) Covert surveillance Company policy Risk of civil or criminal liability Sniffing tools For data transmissions Guide to Computer Forensics and Investigations, 2e

31 Sample Criminal Investigation
Computer crimes examples Fraud Check fraud Homicides Need a warrant to start seizing evidence Limit searching area Guide to Computer Forensics and Investigations, 2e

32 Sample Criminal Investigation (continued)
Guide to Computer Forensics and Investigations, 2e

33 Guide to Computer Forensics and Investigations, 2e
Reviewing a Case Tasks for planning your investigation Identify the case requirements Plan your investigation Conduct the investigation Complete the case report Critique the case Guide to Computer Forensics and Investigations, 2e

34 Identifying the Case Requirements
Identify requirements, such as: Nature of the case Suspect’s name Suspect’s activity Suspect’s hardware and software specifications Guide to Computer Forensics and Investigations, 2e

35 Planning Your Investigation
List what you can assume or know Several incidents may or may not be related Suspect’s computer can contain information about the case Whether someone else has used suspect’s computer Make an image of suspect’s computer disk drive Analyze forensics copy Guide to Computer Forensics and Investigations, 2e

36 Guide to Computer Forensics and Investigations, 2e
DriveSpy Functions Create an image Verify validity of image Analyze image Guide to Computer Forensics and Investigations, 2e

37 Guide to Computer Forensics and Investigations, 2e
DriveSpy (continued) Guide to Computer Forensics and Investigations, 2e

38 Guide to Computer Forensics and Investigations, 2e
DriveSpy (continued) Guide to Computer Forensics and Investigations, 2e

39 Access Data Forensic Toolkit (FTK)
Functions Extract the image from an bit-stream image file Analyze the image Guide to Computer Forensics and Investigations, 2e

40 Access Data Forensic Toolkit (FTK) (continued)
Guide to Computer Forensics and Investigations, 2e

41 Access Data Forensic Toolkit (FTK) (continued)
Guide to Computer Forensics and Investigations, 2e

42 Guide to Computer Forensics and Investigations, 2e
X-Ways Forensics Functions Extract forensic image Analyze image Guide to Computer Forensics and Investigations, 2e

43 X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e

44 X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e

45 X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e

46 Guide to Computer Forensics and Investigations, 2e
Summary Private sector Contained and controlled area Publish right to inspect computer assets policy Private and public sectors follow same computing investigation rules Avoid becoming an agent of law enforcement Criminal cases require warrants Guide to Computer Forensics and Investigations, 2e

47 Guide to Computer Forensics and Investigations, 2e
Summary (continued) Protect your safety and health as well as the integrity of the evidence from hazardous materials Follow guidelines when processing an incident or crime scene Securing perimeter Video recording Guide to Computer Forensics and Investigations, 2e

48 Guide to Computer Forensics and Investigations, 2e
Summary (continued) Become familiar with forensics tools DriveSpy and Image FTK X-Ways Forensics Guide to Computer Forensics and Investigations, 2e

Download ppt "Guide to Computer Forensics and Investigations, Second Edition"

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 24 Computer Crime and Forensics © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.

Computer Forensics, The Investigators Persepective Paul T. Mobley Sr. Computer Forensics Consultant Jawz Inc.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.

Teaching Computer Forensics Using Student Developed Evidence Files Anna Carlin Cal Poly Pomona.
Guide to Computer Forensics and Investigations Fifth Edition

Guide to Computer Forensics and Investigations Fifth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 5. Agenda Questions? Assignment 1 Corrected –3 A’s, 5 B’s & 1 C –Answers on next slide Assignment 2 Due Assignment 3 posted Quiz 1 on.

COS/PSA 413 Day 5. Agenda Questions? Assignment 1 Corrected –3 A’s, 5 B’s & 1 C –Answers on next slide Assignment 2 Due Assignment 3 posted Quiz 1 on.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 10. Agenda Lab 4 Write-ups are in –Will have corrected by next class Lab 5 write-ups due Oct 19 Assignment 3 posted (due Oct 21) Capstone.

COS/PSA 413 Day 10. Agenda Lab 4 Write-ups are in –Will have corrected by next class Lab 5 write-ups due Oct 19 Assignment 3 posted (due Oct 21) Capstone.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 Redo –Due September 3:35 PM Assignment 3 posted –Due September 3:35 PM Quiz 1 on September.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
COS/PSA 413 Day 5. Agenda Questions? Assignment 2 corrected –Everyone failed this assignment! –Read the questions! Provide answers to THIS case not generic.

COS/PSA 413 Day 5. Agenda Questions? Assignment 2 corrected –Everyone failed this assignment! –Read the questions! Provide answers to THIS case not generic.
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition

Similar presentations

Ads by Google