policies and procedures. 2 introduction in this chapter, you will be introduced to best practices...
TRANSCRIPT
2
Introduction
In this chapter, •you will be introduced to best practices •generally accepted guidelines and •procedures used by computer forensics practitioners.
3
Reasons for Policies and Procedures
Investigators establish generally accepted policies and procedures to ensure that: A baseline or benchmark is set for all cases as needed for
external audits or other reference Processes throughout the case life-cycle are understood Technical procedures are well documented Integrity is automatically built into the handling of the case Different forensic investigators can work or collaborate on
the same case without significant disruption The final report has a standard format
4
Personnel Hiring Issues
Characteristics important for members of a forensics unit include: Experience in computer forensics Education in relevant forensic areas Certifications in computer forensics Integrity and judgment Team player attitude Ability to adapt Ability to work under pressure
5
Personnel Training
Some training areas include: Computer forensics Network forensics PDA forensics Cellular phone forensics Legal issues Industry-specific issues Management training Investigative techniques
6
Pre-Case Cautions
When deciding to take a case, consider whether your team can ensure the integrity of the case’s e-evidence
Evidence value is time sensitive Links to digital information can degrade
7
Deciding to Take a Case
Whether it is a criminal or civil case
The impact on the investigating organization
Whether the evidence is volatile or nonvolatile
Legal considerations about data that might be exposed
The nature of the crime Potential victims, such
as children in child pornography cases
Liability issues for the organization
The age of the case Amount of time before
the court date
Criteria for accepting a case include:
8
FYI: Types of Data That Might Be Exposed in an Investigation Information that can be exposed in an
investigation that is not within original scope: Personal financial data Personal e-mail E-mail or documents containing company secrets Instant messaging logs Privileged communications Proprietary information (corporate)
9
General Case Intake Form
Checks for conflict of interest in the case Confirms the understanding and agreement
among the parties involved and sets the stage for everything else about the case Chain of custody Basic evidence documentation
Sample intake form:
Sample Intake Form
10
Documenting the First Steps in the Case The importance of documenting first steps
cannot be overemphasized Questions that should be asked before
traveling to a site: What circumstances surrounding this case require
a computer forensics expert? What types of hardware and software are
involved?
11
Equipment in a Basic Forensics Kit
Cellular phone Basic hardware toolkit Watertight/static-resistant
plastic bags Labels Bootable media Cables (USB, printer,
FireWire) Writing implements Laptop
PDA High-resolution camera Hardware write blocker Luggage cart Flashlight Power strip Log book Gloves External USB hard drive Forensic examiner platform
12
Steps in the Forensic Examination
Verify legal authority Collect preliminary data Determine the environment for the
investigation Secure and transport evidence Acquire the evidence from the suspect
system
13
Verify Legal Authority
In a criminal case, authority to conduct search is up to local jurisdiction Search warrant required for search and seizure Search warrants may need to be amended or
expanded In civil cases involving corporate equipment,
investigators have greater leeway to seize
14
Collect Preliminary Data
Questions Considerations
What types of e-evidence am I looking for?
Are you being tasked to look for photographs, documents, databases, spreadsheets, financial records, or e-mail?
What is the skill level of the user in question?
The more sophisticated the user, the more likely that he has the capability to alter or destroy evidence.
What kind of hardware is involved?
Is it an IBM-compatible computer or a Macintosh computer?
(Continued)
15
Collect Preliminary Data (Cont.)
Questions Considerations
What kind of software is involved? To a large degree, the type of software you are working with determines how you extract and eventually read the information.
Do I need to preserve other types of evidence?
Will you need to worry about fingerprints, DNA, or trace evidence?
What is the computer environment like?
Are you dealing with a network? If so, what are the physical/logical topology, OS, usernames and passwords?
16
Determine the Environment for the Investigation Consider these factors when deciding where
to conduct the examination: Integrity of the evidence collection process Estimation of the time required to do an
examination Impact on the target organization Equipment resources Personnel considerations
17
Secure and Transport Evidence
Document the evidence Locate all evidence to be seized Record a general description of the room:
Type of media found All peripheral devices attached to the computer(s) Make, model, and serial numbers of devices seized What types of media devices are located in, near, or on
the computer Note all wireless devices Make use of chain of custody forms
18
Secure and Transport Evidence (Cont.)
All removable media All computer equipment Books/magazines Trash contents
Peripherals Cables Notes/miscellaneous paper
Tag should include time, date, location, and general condition of the evidence
Tag the evidence Tag everything that will be transported back to the
forensics lab
19
Secure and Transport Evidence (Cont.) Bag the evidence
Small items go into small antistatic bags Larger items go into antistatic boxes Bagging evidence
Protects the evidence Organizes the evidence Preserves other potential evidence
20
Secure and Transport Evidence (Cont.) Transport the evidence
Use these items to make transport easier Luggage cart Hand cart Bungee cords with hooks or clamps Duct tape Small cargo net Leather gloves Twist ties Plastic cable ties/PlastiCuffs
21
Acquire the Evidence
First document the hardware and software to be used in acquiring the evidence.
Disassemble the suspect computer Acquire hard drive information
BIOS information Boot sequence Time and date
22
Acquire the Evidence (Cont.)
Basic guidelines: Wipe all media you plan to use and use a
standard character during that wipe Activate the write protection Perform a hash of the original drive and of the
forensic copy to make sure you have a bit-for-bit copy
Do a physical acquisition to capture space not accessible by the operating system
Make a working or backup copy
23
Examining the Evidence
There are no specific rules for examining evidence due to the variety of cases
The experience level of the user determines how the examiner approaches the investigation of evidence
Physical extraction or examination (searches in areas the operating system does not recognize)
Logical extraction or examination (sees only what operating system can see)
24
Examining the Evidence (Cont.)
Bottom-layer examinations File system details (Operating System Details,
known issues with OS, server config.) Directory/file system structure (FAT vs. MFT,
cluster size allocations) Operating system norms (Which directory does it
normally spool printer files in? Where are temporary files stored?)
Other partition information Other operating systems (dual/multiboot systems)
25
Examining the Evidence (Cont.)
Second-layer examinations Exclusion of known files using hash analysis (for common
operating system files elimination) File header and extension (Compare file header and its
extension. Why?) Obvious files of interest
Third-layer examinations Extraction of password-protected and encrypted files
(Analyzing which files are password-protected or encrypted and selecting an appropriate tool to open)
Extraction of compressed and deleted files (zip) Link analysis (Records where a file has been saved recently
and usually includes the path, date, time- important because of removable storage devices.)
26
Examining the Evidence (Cont.)
Fourth-layer examinations Extraction of unallocated space files of interest
(Check email-Screen shot stored-Closed-Temporary file deleted)
Extraction of file slack space files of interest Fifth-layer examinations
Documentation should reflect how the evidence was extracted and where it has been extracted to for further analysis
27
The Art of Forensics: Analyzing the Data
File analysis investigations include: File content (Case: Financial Fraud. Files: Dealing with finance or
spreadsheets would be obvious choice Metadata (Goal: Solidify the connection between the data and who
actually created it). Application files (Application used recently, no files are found based on
signature/header analysis File stored in removable media Operating system file types (Find *tar in Windows OS?) Directory/folder structure (What does creating folders and saving files
into that folder implies?) Patterns (Find a pattern that files saved at 2:00 am every Monday.) User configurations (Learn configuration to put a together a picture of
the evidence and to possibly locate more evidence)
28
Analyzing the Data (Cont.)
Data-hiding analyses should include: Password-protected files. Several options:
Check the Internet for password-cracking software Check with the software developer of the application Contact a firm that specializes in cracking passwords
Compressed files Encrypted files Steganography
29
Analyzing the Data (Cont.)
Time frame analysis should examine the following file attributes: Creation date/time Modified date/time Accessed date/time
30
Reporting on the Investigation
Last step is to finish documenting the investigation and prepare a report on the investigation
Documentation should include information such as: Notes taken during initial contact with the lead investigator Any forms used to start the investigation A copy of the search warrant Documentation of the scene where the computer was
located Procedures used to acquire, extract, and analyze the
evidence
31
Reporting on the Investigation (Cont.) A detailed final report should be organized
into the following sections: Report summary Body of the report Conclusion Supplementary materials (i.e glossary,
appendices)
32
Reporting on the Investigation (Cont.) The final detailed report should cover:
Case investigator information, name and contact details
The suspect user information Case numbers or identifiers used by your
department Location of the examination Type of information you have been requested to
find
33
Reporting on the Investigation (Cont.) The report summary should contain:
Files found with evidentiary value Supporting files that support allegations Ownership analysis of files Analysis of data within suspect files Search types including text strings, keywords, etc. Any attempts at data hiding such as passwords,
encryption, and steganography
34
Summary
Policies and procedures Are key to a consistent and methodical
investigation Aid in the management of a computer forensics
lab Should be flexible enough to adjust to each case