Chapter 1: Understanding the Digital Forensics Profession and Investigations
What are the steps for problem solving?
1) make an initial assessment about the type of case you are investigating 2) determine a preliminary design or approach to the case 3) create a detailed checklist 4) determine the resources you need 5) obtain and copy an evidence drive 6) identify the risks 7) mitigate or minimize the risks 8) test the design 9) analyze and recover the digital evidence 10) investigate the data you recover 11) complete the case report 12) critique the case
The computer fraud and abuse act was passed when?
1986
How is digital forensics different from data recovery?
data recovery involves retrieving information that was deleted by mistake or lost during a power surge or server crash
During private investigations, what do you search for?
evidence to support allegations of violations of a company's rules or an attack on its assets
bit-stream image
file containing the bit-stream copy of all data on a disk or partition, also known as "image" or "image file"
describe private-sector investigations
focus more on policy violations
Describe a Digital Evidence Specialist (DES)
has the skill to analyze the data and determine when another specialist should be called in to assist
Why was the Federal Rules of Evidence (FRE) created?
to ensure consistency in federal proceedings; signed into law in 1973
What is the role of a digital forensics professional?
to gather evidence to prove that a suspect committed a crime or violated a company policy; collect evidence that can be offered in court or at a corporate inquiry
What is the role of a computing investigator
to instruct the investigator conducting the interview on what questions to ask and what the answers should
What is a private-sector investigator's job?
to minimize risk to the company
What activities should a basic investigation plan include?
- Acquire the evidence - complete an evidence form and establish a chain of custody - transport the evidence to a computer forensics lab - secure evidence in an approved secure container - prepare your forensics workstation - retrieve evidence from the secure container - make a forensic copy of the evidence - return the evidence to the secure container - process the copied evidence with computer forensic tools
In private investigations, what are three types of situations that are common?
- abuse or misuse of computing assets - email abuse - internet abuse
To conduct an email abuse investigation, you need what?
- an electronic copy of the offending email that contains message header data - if available, email server log records - for email systems that store users' messages on a central server, access to the server - access to the computer so that you can perform a forensic analysis on it - your preferred computer forensics tools
To conduct internet abuse investigations, you need what?
- organization's internet proxy server logs - suspect computer's IP address - suspect computer's disk drive - your preferred computer forensics analysis tool
When conducting public-sector investigations, you must understand laws on computer-related crimes including what?
- standard legal processes - guidelines on search and seizure - how to build a criminal case
What are the two types of evidence custody forms
-Single evidence form: lists each piece of evidence on a separate page multi-evidence form
Most important policies define rules for using the company's computers and networks. What is this known as?
Acceptable Use Policy
In October 2012, an ISO standard for digital forensics was ratified. what is it?
ISO 27037 Information Technology- Security techniques
What is the difference between an interview and an interrogation?
Interview-- usually conducted to collect information from a witness or suspect about specific facts related to an investigation Interrogation- process of trying to get a suspect to confess
Existing laws can't keep up with the rate of technological change. When statutes don't exist, case law is used. What is this?
It allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws
Digital investigations fall into 2 categories. What are they?
Public-sector investigations Private-sector investigations
Businesses are advised to specify an authorized requester. Who is this?
Someone who has the power to initiate investigations
Forensic investigators often work as part of a team, known as the investigations triad. What makes up the triad? What does each discipline do?
Vulnerability Threat Assessment and Risk Management-- tests and verifies the integrity of stand-along workstations and network servers, Network Intrusion Detection and Incident Response-- detects intruder attacks by using automated tools and monitoring network firewall logs, and Digital Investigation- manages investigations and conducts forensics analysis of systems suspected of containing evidence
What is a police blotter
a historical database of previous crimes
What is an affidavit
a sworn statement of support of facts about or evidence of a crime; must include exhibits that support the allegation
Describe a digital evidence first responder (DEFR)
arrives on an incident scene, assesses the situation, and take precautions to acquire and preserve evidence
What is a bit-stream copy?
bit-by-bit copy of the original storage medium
How can businesses reduce the risk of litigation?
by publishing and maintaining policies that employees find easy to read and follow; also displaying a warning banner on computer screens that informs end users that the organization reserves the right to inspect computer systems and network traffic at will
Investigating digital devices includes
collecting data securely, examining suspect data to determine details such as origin and content, presenting digital information to courts, applying laws to digital device practices
Describe network intrusion detection and incident response
detects intruder attacks by using automated tools and monitoring network firewall logs
What kinds of crimes are private sector crimes?
e-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage
What are write blocker devices?
enable you to boot to Windows without writing data to the evidence drive
What is an evidence custody form
helps you document what has been done with the original evidence and its forensics copies; also called a chain-of-evidence form
When was the FBI Computer Analysis and Response Team (CART) formed?
in 1984 to handle cases involving digital evidence; by late 1990s, CART teamed up with Department of Defense Computer Forensics Laboratory (DCFL)
describe digital investigations
manages investigations and conducts forensics analysis of systems suspected of containing evidence
What is the 4th amendment to the U.S. Constitution
protects everyone's right to be secure from search and seizure; separate search warrants might not be necessary for digital evidence
What is a chain of custody
route the evidence takes from the time you find it until the case is closed or goes to court
What is attorney-client privilege (ACP)
rules for an attorney that they must keep all findings confidential
What is a Bring your own device (BYOD) environment?
some companies state that if you connect a personal device to the business network, it falls under the same rules as company property
What is the line of authority
states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
Describe vulnerability/threat assessment and risk management
tests and verifies the integrity of stand-along workstations and network servers
Digital Forensics
the application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation
What are public-sector investigations
they involve government agencies responsible for criminal investigations and prosecution
How should you secure your evidence?
use evidence bags to secure and catalog the evidence; use computer safe products when collecting computer evidence (antistatic bags, antistatic pads), well padded containers, used evidence tape to seal all openings (CD drive bays, insertion slots for power supply electrical cords, USB cables); write your initials on tape to prove the evidence has not been tampered with; consider computer specific temperature and humidity ranges; make sure you have a safe environment for transporting and storing it until a secure evidence container is available
When does a criminal investigation usually begin?
when someone finds evidence of or witnesses a crime; witness or victim makes an allegation to the police
Private-sector investigations involve private companies and lawyers who do what?
who address company policy violations and litigation disputes. ex: wrongful termination; businesses strive to minimize or eliminate litigation;
How can you avoid altering evidence when conducting an investigation and analysis?
write blocker devices