Policies and Procedures

2

Introduction

In this chapter, •you will be introduced to best practices •generally accepted guidelines and •procedures used by computer forensics practitioners.

3

Reasons for Policies and Procedures

Investigators establish generally accepted policies and procedures to ensure that: A baseline or benchmark is set for all cases as needed for

external audits or other reference Processes throughout the case life-cycle are understood Technical procedures are well documented Integrity is automatically built into the handling of the case Different forensic investigators can work or collaborate on

the same case without significant disruption The final report has a standard format

4

Personnel Hiring Issues

Characteristics important for members of a forensics unit include: Experience in computer forensics Education in relevant forensic areas Certifications in computer forensics Integrity and judgment Team player attitude Ability to adapt Ability to work under pressure

5

Personnel Training

Some training areas include: Computer forensics Network forensics PDA forensics Cellular phone forensics Legal issues Industry-specific issues Management training Investigative techniques

6

Pre-Case Cautions

When deciding to take a case, consider whether your team can ensure the integrity of the case’s e-evidence

Evidence value is time sensitive Links to digital information can degrade

7

Deciding to Take a Case

Whether it is a criminal or civil case

The impact on the investigating organization

Whether the evidence is volatile or nonvolatile

Legal considerations about data that might be exposed

The nature of the crime Potential victims, such

as children in child pornography cases

Liability issues for the organization

The age of the case Amount of time before

the court date

Criteria for accepting a case include:

8

FYI: Types of Data That Might Be Exposed in an Investigation Information that can be exposed in an

investigation that is not within original scope: Personal financial data Personal e-mail E-mail or documents containing company secrets Instant messaging logs Privileged communications Proprietary information (corporate)

9

General Case Intake Form

Checks for conflict of interest in the case Confirms the understanding and agreement

among the parties involved and sets the stage for everything else about the case Chain of custody Basic evidence documentation

Sample intake form:

Sample Intake Form

10

Documenting the First Steps in the Case The importance of documenting first steps

cannot be overemphasized Questions that should be asked before

traveling to a site: What circumstances surrounding this case require

a computer forensics expert? What types of hardware and software are

involved?

11

Equipment in a Basic Forensics Kit

Cellular phone Basic hardware toolkit Watertight/static-resistant

plastic bags Labels Bootable media Cables (USB, printer,

FireWire) Writing implements Laptop

PDA High-resolution camera Hardware write blocker Luggage cart Flashlight Power strip Log book Gloves External USB hard drive Forensic examiner platform

12

Steps in the Forensic Examination

Verify legal authority Collect preliminary data Determine the environment for the

investigation Secure and transport evidence Acquire the evidence from the suspect

system

13

Verify Legal Authority

In a criminal case, authority to conduct search is up to local jurisdiction Search warrant required for search and seizure Search warrants may need to be amended or

expanded In civil cases involving corporate equipment,

investigators have greater leeway to seize

14

Collect Preliminary Data

Questions Considerations

What types of e-evidence am I looking for?

Are you being tasked to look for photographs, documents, databases, spreadsheets, financial records, or e-mail?

What is the skill level of the user in question?

The more sophisticated the user, the more likely that he has the capability to alter or destroy evidence.

What kind of hardware is involved?

Is it an IBM-compatible computer or a Macintosh computer?

(Continued)

15

Collect Preliminary Data (Cont.)

Questions Considerations

What kind of software is involved? To a large degree, the type of software you are working with determines how you extract and eventually read the information.

Do I need to preserve other types of evidence?

Will you need to worry about fingerprints, DNA, or trace evidence?

What is the computer environment like?

Are you dealing with a network? If so, what are the physical/logical topology, OS, usernames and passwords?

16

Determine the Environment for the Investigation Consider these factors when deciding where

to conduct the examination: Integrity of the evidence collection process Estimation of the time required to do an

examination Impact on the target organization Equipment resources Personnel considerations

17

Secure and Transport Evidence

Document the evidence Locate all evidence to be seized Record a general description of the room:

Type of media found All peripheral devices attached to the computer(s) Make, model, and serial numbers of devices seized What types of media devices are located in, near, or on

the computer Note all wireless devices Make use of chain of custody forms

18

Secure and Transport Evidence (Cont.)

All removable media All computer equipment Books/magazines Trash contents

Peripherals Cables Notes/miscellaneous paper

Tag should include time, date, location, and general condition of the evidence

Tag the evidence Tag everything that will be transported back to the

forensics lab

19

Secure and Transport Evidence (Cont.) Bag the evidence

Small items go into small antistatic bags Larger items go into antistatic boxes Bagging evidence

Protects the evidence Organizes the evidence Preserves other potential evidence

20

Secure and Transport Evidence (Cont.) Transport the evidence

Use these items to make transport easier Luggage cart Hand cart Bungee cords with hooks or clamps Duct tape Small cargo net Leather gloves Twist ties Plastic cable ties/PlastiCuffs

21

Acquire the Evidence

First document the hardware and software to be used in acquiring the evidence.

Disassemble the suspect computer Acquire hard drive information

BIOS information Boot sequence Time and date

22

Acquire the Evidence (Cont.)

Basic guidelines: Wipe all media you plan to use and use a

standard character during that wipe Activate the write protection Perform a hash of the original drive and of the

forensic copy to make sure you have a bit-for-bit copy

Do a physical acquisition to capture space not accessible by the operating system

Make a working or backup copy

23

Examining the Evidence

There are no specific rules for examining evidence due to the variety of cases

The experience level of the user determines how the examiner approaches the investigation of evidence

Physical extraction or examination (searches in areas the operating system does not recognize)

Logical extraction or examination (sees only what operating system can see)

24

Examining the Evidence (Cont.)

Bottom-layer examinations File system details (Operating System Details,

known issues with OS, server config.) Directory/file system structure (FAT vs. MFT,

cluster size allocations) Operating system norms (Which directory does it

normally spool printer files in? Where are temporary files stored?)

Other partition information Other operating systems (dual/multiboot systems)

25

Examining the Evidence (Cont.)

Second-layer examinations Exclusion of known files using hash analysis (for common

operating system files elimination) File header and extension (Compare file header and its

extension. Why?) Obvious files of interest

Third-layer examinations Extraction of password-protected and encrypted files

(Analyzing which files are password-protected or encrypted and selecting an appropriate tool to open)

Extraction of compressed and deleted files (zip) Link analysis (Records where a file has been saved recently

and usually includes the path, date, time- important because of removable storage devices.)

26

Examining the Evidence (Cont.)

Fourth-layer examinations Extraction of unallocated space files of interest

(Check email-Screen shot stored-Closed-Temporary file deleted)

Extraction of file slack space files of interest Fifth-layer examinations

Documentation should reflect how the evidence was extracted and where it has been extracted to for further analysis

27

The Art of Forensics: Analyzing the Data

File analysis investigations include: File content (Case: Financial Fraud. Files: Dealing with finance or

spreadsheets would be obvious choice Metadata (Goal: Solidify the connection between the data and who

actually created it). Application files (Application used recently, no files are found based on

signature/header analysis File stored in removable media Operating system file types (Find *tar in Windows OS?) Directory/folder structure (What does creating folders and saving files

into that folder implies?) Patterns (Find a pattern that files saved at 2:00 am every Monday.) User configurations (Learn configuration to put a together a picture of

the evidence and to possibly locate more evidence)

28

Analyzing the Data (Cont.)

Data-hiding analyses should include: Password-protected files. Several options:

Check the Internet for password-cracking software Check with the software developer of the application Contact a firm that specializes in cracking passwords

Compressed files Encrypted files Steganography

29

Analyzing the Data (Cont.)

Time frame analysis should examine the following file attributes: Creation date/time Modified date/time Accessed date/time

30

Reporting on the Investigation

Last step is to finish documenting the investigation and prepare a report on the investigation

Documentation should include information such as: Notes taken during initial contact with the lead investigator Any forms used to start the investigation A copy of the search warrant Documentation of the scene where the computer was

located Procedures used to acquire, extract, and analyze the

evidence

31

Reporting on the Investigation (Cont.) A detailed final report should be organized

into the following sections: Report summary Body of the report Conclusion Supplementary materials (i.e glossary,

appendices)

32

Reporting on the Investigation (Cont.) The final detailed report should cover:

Case investigator information, name and contact details

The suspect user information Case numbers or identifiers used by your

department Location of the examination Type of information you have been requested to

find

33

Reporting on the Investigation (Cont.) The report summary should contain:

Files found with evidentiary value Supporting files that support allegations Ownership analysis of files Analysis of data within suspect files Search types including text strings, keywords, etc. Any attempts at data hiding such as passwords,

encryption, and steganography

34

Summary

Policies and procedures Are key to a consistent and methodical

investigation Aid in the management of a computer forensics

lab Should be flexible enough to adjust to each case

35

Summary (Cont.)

Four main steps to any computer forensics investigation: Planning Acquisition Analysis Reporting

Computer forensic analyst must: Keep up with the technology of the day Be a psychologist who understands how people

use technology