Chapter 2

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

A search warrant

A search warrant is a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location

Forensic Software Tools: AccessData FTK

AccessData FTK court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis.

Chapter 2 Summary

All digital evidence must be stored in a container, which must be secured to prevent unauthorized access

Forensic Software Tools: Autopsy digital forensics platform

Autopsy digital forensics platform and gui can be used with The Sleuth Kit® and other digital forensics tools.

Best Practices

Best Practices Get authorization to conduct the investigation, from an authorized decision maker Document all the events and decisions at the time of the incident and incident response

Forensic Hardware Tools: Data Recovery Stick

Data Recovery Stick can recover deleted files.

Dealing with Networked Computer

Dealing with Networked Computer If the victim's computer has an Internet connection, the first responder must follow the following procedure in order to protect the evidence:

Dealing with Powered Off Computers

Dealing with Powered Off Computers At this point of the investigation, do not change the state of any electronic devices or equipment: If it is switched OFF, leave it OFF If a monitor is switched OFF and the display is blank:

Forensic Investigation Team: Decision Maker

Decision Maker: The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident.

Chapter 2 Summary

Documentation of the electronic crime scene is a continuous process during the investigation that creates a permanent record of the scene

Documentation of the electronic crime scene

Documentation of the electronic crime scene is a continuous process during the investigation, making a permanent record of the scene. It includes photographing and sketching of the scene.

Electronic storage device warrant

Electronic storage device warrant allows the first responder to search and seize the victim's computer components such as HW/SW, Storage devices, Documentation

Forensic Hardware Tools: WriteProtect-DESKTOP

WriteProtect-DESKTOP provides secure, read-only write-blocking of suspect hard drives.

Forensic Hardware Tools: ZX-Tower

ZX-Tower provides secure sanitization of hard disk

Forensic Investigation Team: Evidence Documenter

Evidence Documenter:gathers info and documents it from incident occurrence to the end of the investigation.

Forensic Investigation Team: Evidence Examiner/Investigator

Evidence Examiner/Investigator: Examines the evidence acquired and sorts the useful evidence.

Forensic Investigation Team: Evidence Manager

Evidence Manager: has all the information about the evidence:name, evidence type, time, source of evidence, etc. manages and maintains a record of the evidence such that it is admissible in the court of law.

Exhibit numbering aaa/ddmmyy/nnnn/zz:

Exhibit numbering is the process of tagging evidence with sequential number, which includes case and evidence details. This will allow the investigator to easily identify the evidence and know about its details.

Forensic Investigation Team: Expert Witness

Expert Witness: Offers a formal opinion as a testimony in a court of law.

Forensic Hardware Tools: FRED

FRED systems are optimized for stationary laboratory acquisition and analysis. FRED will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives.

Forensic Software Tools: EnCase

Guidance Software's EnCase Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust

Forensic Laws

Forensic Laws 18 USC §1029 - Fraud and related activity in connection with access devices 18 USC §1030 - Fraud and related activity in connection with computers

Tools to obtain information from different common social media websites: continued

Forensic Software H&A forensics, Geo360, Navigator by LifeRaft Social, Emotive, etc.

Image Integrity Tools:

Image Integrity Tools: HashCalc-created MD5 hash for files, text and hex strings; 13 different algorithms

Forensic Hardware Tools: Image MASSterTM Wipe PRO

Image MASSterTM Wipe PRO is a hard Drive Sanitization Station.

TEMPEST

TEMPEST is an unclassified short name referring to investigations and studies of compromising emanations. Compromising emanations are unintentional intelligence-bearing signals that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment."

Forensic Hardware Tools: Tableau T8-R2 Forensic USB Bridge

Tableau T8-R2 Forensic USB Bridge offers secure, hw-based write blocking of USB storage devices.

Forensic Software Tools: The Sleuth Kit

The Sleuth Kit cmd line tools with C library is used to analyze disk images and recover files from them.

Chain of Custody is: continued

The chain of custody administers the collection, handling, storage, testing, and disposition of evidence. It helps to ensure protection of evidence against tampering or substitution of evidence. Chain of custody documentation should list all the people involved in the collection and preservation of evidence and their actions, with a stamp for each activity.

computer forensics investigation process

The computer forensics investigation process includes a methodological approach for preparing for the investigation, collecting and analyzing evidence, and managing the case from reporting to the conclusion.

Exhibit numbering aaa/ddmmyy/nnnn/zz: continued

The investigators should mark all the evidence in a pre-agreed format, such as: aaa/ddmmyy/nnnn/zz.

Image Integrity Tools: Data Analysis Tools Sleuth Kit continued

The plug-in framework also allows incorporating additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

Chapter 2 Summary

To preserve the integrity of the physical evidence, all evidence collected should be handled carefully

Tools to obtain information from different common social media websites:

Tools to obtain information from different common social media websites: Netvizz, twecoll, divud, Digitalfootprints, Netlytic, X1 Social Discovery, Facebook

Forensic Laws

18 USC §1361-2 - Prohibits malicious mischief

Forensic Laws

18 USC §2252A -law about child pornography 18 USC §2252B -misleading domains on Internet

Forensic Laws

18 USC §2702 - voluntary disclosure of contents to government and non-government entities

Forensic Laws

42 USC §2000AA -Privacy Protection Act, special steps to take during seizure that don't prevent freedom of expression

Image Integrity Tools: Recover Lost or Deleted Data

Advanced Disk Recovery-quick or deep scan for lost or deleted files UndeletePlus-same as above

Preserving Electronic Evidence: Continued

Check the connections of the telephone modem, cable, ISDN, and DSL Remove the power plug from the router or modem

Investigation Methodology: continued

Data Analysis Evidence Assessment Documentation and Reporting Testify as an Expert Witness

Image Integrity Tools: Data Analysis Tools

Data Analysis Tools FTK Imager- data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives, and examination of the content of forensic images or memory dumps. FTK Imager can also create MD5 or SHA1 hashes of files, review and recover files deleted from the Recycle Bin, export files and folders from forensic images to disk and mount a forensic image to view its contents in Windows Explorer.

Best Practices: continued

Depending on the scope of the incident and presence of any national security issues or life safety issues, the first priority is to protect the organization from further harm

Image Integrity Tools: Data Analysis Tools

EnCase Forensic- popular multi-purpose forensic platform that includes many useful tools to support several areas of the digital forensic process. It also generates an evidence report. EnCase Forensic can help investigators acquire large amounts of evidence, as fast as possible from laptops and desktop computers to mobile devices. EnCase Forensic directly acquires the data and integrates the results into the cases.

Image Integrity Tools: continued

HashMyFiles-calculate MD5 hash on one or more files. Can also display MD5 hashes of files or folders

Documentation of the electronic crime scene: continued

If the evidence gathered by the CFP suggests that the suspect has committed a crime, he or she will produce that evidence in court. If the evidence suggests that the suspect has breached company policy, the CFP will hand over the evidence at the corporate enquiry.

Documentation of the electronic crime scene: continued

If the suspect is present at the time of the search and seizure, the incident manager or the laboratory manager may consider asking some questions. However, they must comply with the relevant human resources or legislative guidelines with regard to their jurisdiction

Dealing with Networked Computer: Continued

Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence Document all the steps that involved in searching and seizing the victim's computer for later investigation

Image Integrity Tools: continued

MDF Calculator-view MD5 hash to compare to provided hash value

Dealing with Powered Off Computers: continued

Move the mouse slightly. If the screen does not change, do not perform any other keystroke. Photograph the screen.

Preserving Electronic Evidence: Continued

Photograph the connections between the computer system and the related cables, and label them Label every connector and cable connected to the peripheral devices

Setting up a CFL: continued

Physical security recommendations. Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025

Forensic Investigation Team: Attorney

Attorney: legal advice about the investigation, and legal issues involved in the forensics investigation process.

Image Integrity Tools: Recover Lost or Deleted Data

Recover My Files-recover deleted files emptied from recycle bin, accidental format, hard disk crash, etc.

Image Integrity Tools: Recover Lost or Deleted Data

Recuva-recover all types of lost files from disk or removable media

Preserving Electronic Evidence: Continued

Remove any portable disks that are available at the scene to safeguard potential evidence Keep the tape on drive slots and the power connector Photograph the connections between the computer system and the related cables, and label them Label every connector and cable connected to the peripheral devices

Preserving Electronic Evidence: Continued

Remove the power cable, depending on the power state of the computer, i.e., ON, OFF, or in sleep mode Do not turn ON the computer if it is in the OFF state Take a photo of the monitor screen if the computer is in the ON state

Forensic Laws

Rule 1002 - Requirement of original Rule 1003 - Admissibility of duplicates Rule 1004 - Admissibility of other evidence of Content

Forensic Laws

Rule 609 - Impeachment by evidence of a criminal conviction Rule 614 - Calling and interrogation of witnesses by court Rule 701 - Opinion testimony by lay witnesses

Forensic Laws

Rule 705 - Disclosure of facts or data underlying expert opinion Rule 801 - hearsay Rule 901 - Authenticating or Identifying Evidence

Image Integrity Tools: Data Analysis Tools

The Sleuth Kit (TSK) -library and collection of command line tools that allows investigating disk images. The core functionality of TSK allows analyzing volume and filing system data.

Dealing with Powered Off Computers: continued

Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes and photograph the screen. If a monitor is switched ON and the display is blank

Dealing with Networked Computer: Continued

Unplug all the cords and devices connected to the computer and label them for later identification Unplug the main power cord from the wall socket Pack the collected electronic evidence properly and place it in a static-free bag

Dealing with Networked Computer: Continued

Unplug the network cable from the router and modem internet can make it vulnerable to further attack Don't use the pc for evidence search because it may alter or change the integrity of the existing evidence

Exhibit numbering aaa/ddmmyy/nnnn/zz: continued

aaa are the initials of the forensic analyst or law enforcement officer seizing the equipment. dd/mm/yy is the date of seizure.

Phases Involved in the Computer Forensics Investigation Process Pre-investigation Phase:

acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. implementing the technical knowledge to find evidence, examine, document, and preserve the findings.

Phases Involved in the Computer Forensics Investigation Process Post-investigation Phase:

ensure report provides adequate and acceptable evidence. report should comply with all local laws and standards it should be legally sound and acceptable in the court of law.

Exhibit numbering aaa/ddmmyy/nnnn/zz: continued

nnnn is the sequential number of the exhibits seized by aaa, starting with 001 and going to nnnn. zz is the sequence number for parts of the same exhibit (e.g., 'A' could be the CPU, 'B' the monitor, 'C' the keyboard, etc.)

Phases Involved in the Computer Forensics Investigation Process Pre-investigation Phase:

planning the process, defining mission goals, and securing the case perimeter and devices involved. Investigation Phase: Main phase of the computer forensics investigation performed by professionals acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. implementing the technical knowledge to find evidence, examine, document, and preserve the findings.

"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David, 756 F. Supp. 1385, 1392 (D. Nev. l991). Agents may search a place or object without a warrant or probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)

"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David, 756 F. Supp. 1385, 1392 (D. Nev. l991). Agents may search a place or object without a warrant or probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)

Checklist to Prepare for a Computer Forensics Investigation

1 Do not turn the computer off or on, run any programs, or attempt to access data on the computer. 2 Secure any relevant media including hard drives, cell phones, DVDs, USB drives, etc subject may have used

Checklist to Prepare for a Computer Forensics Investigation: continued

3 Suspend document destruction and recycling that may pertain to relevant media or users at the time of issue 4 Perform a preliminary assessment of the crime scene and identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination

Chapter 2 Summary

3 phases in Computer Forensics Investigation Process, Pre-investigation, Investigation and Post-Investigation

Checklist to Prepare for a Computer Forensics Investigation: continued

5 Once the machine is secured, obtain info about the machine, the peripherals, and network where connected 6 If possible, obtain passwords to access encrypted or password-protected files

Checklist to Prepare for a Computer Forensics Investigation: continued

7 Compile a list of names, e-mails, and other info of those with whom the subject might have communicated 8 If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred. If possible, find out why the pc was accessed

Checklist to Prepare for a Computer Forensics Investigation: continued

9 Maintain a chain of custody for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession. 10 Create a list of key words or phrases to use when searching for relevant data

Chapter 2 Summary

A CFL is a location designated for conducting a computer-based investigation on the collected evidence

Forensic Software Tools: Cain & Abel

Cain & Abel pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols.

Forensic Software Tools: Capsa sniffer

Capsa sniffer supports for over 300 network protocols

Chain of Custody is

Chain of Custody is a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory. It is a roadmap that shows how investigators collected, analyzed, and preserved the evidence.

Forensic Software Tools: FileMerlin

FileMerlin converts word processing, xls, ppt and database files between a wide range of file formats

Chapter 2 Summary

Final report should include what the investigator did during the investigation, and what he or she found

Forensic Investigation Team: Incident Analyzer

Incident Analyzer: Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulnerabilities associated with it

Forensic Investigation Team: Incident Responder

Incident Responder: Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident

The following are the Computer Forensics Investigation Methodology:

Investigation Methodology: First Response Search and Seizure Collect the Evidence Secure the Evidence Data Acquisition

Chain of Custody is: continued

It ensures accurate auditing of the original data evidence, imaging of the source media, tracking of the logs, and so on. The chain of custody shows the technology used and the methodology adopted in the forensic phases as well as the persons involved in it.

Forensic Software Tools: L0phtCrack

L0phtCrack is a password auditing and recovery software

Chapter 2 Summary

Make a duplicate of the collected data so as to preserve the original

Forensic Software Tools: NIST Computer Forensic Tool Testing Project (CFTT)

NIST has launched the Computer Forensic Tool Testing Project (CFTT), which establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."

Forensic Software Tools: Nuix Corporate Investigation Suite

Nuix Corporate Investigation Suite used to collect, process, analyze, review, and report evidence.

Forensic Software Tools: Ophcrack

Ophcrack is a free GUI driven Windows password cracker based on rainbow tables

Forensic Software Tools: Oxygen Forensic Kit

Oxygen Forensic Kit is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field.

Forensic Software Tools: PALADIN

PALADIN is a modified "live" Linux distribution based on the PALADIN Toolbox.

Forensic Hardware Tools: PC-3000 Data Extractor

PC-3000 Data Extractor diagnoses and fixes file system issues, so that the client's data can be obtained.

Forensic Hardware Tools: PC-3000 Flash

PC-3000 Flash is a hardware and software suite for recovering flash- based storage

Forensic Hardware Tools: Paraben's Chat Stick

Paraben's Chat Stick is a thumb drive device that will search the entire computer and scan it for chat logs

Forensic Hardware Tools: Paraben's StrongHold Faraday Bags

Paraben's StrongHold Faraday Bags block out wireless signals to protect evidence.

Forensic Investigation Team: Photographer

Photographer: Photographs the crime scene and all evidence. Should have an authentic certification.

Phases Involved in the Computer Forensics Investigation Process Post-investigation Phase:

Post-investigation Phase: Reporting and documentation of all the actions undertaken and the findings during the course of an investigation. Ensure that the target audience can easily understand the report

Phases Involved in the Computer Forensics Investigation Process Pre-investigation Phase:

Pre-investigation Phase: all the tasks performed prior to the commencement of the actual investigation setting up a computer forensics lab(CFL), toolkit, and workstation the investigation team and getting approval from the relevant authority

Preserving Electronic Evidence

Preserving Electronic Evidence Document the actions and changes observed on the monitor, system, printer, or other electronic devices Verify that the monitor is ON, OFF, or in sleep mode

Forensic Software Tools: R-Drive Image

R-Drive Image utility that provides creation of disk image files for backup or duplication purposes.

Forensic Hardware Tools: RAPID IMAGE 7020 X2

RAPID IMAGE 7020 X2 designed to copy one "Master" hard drive to up to 19 "Target" hard drives

Forensic Software Tools: Recuva

Recuva recover lost pictures, music, docs, video, email, or other file type from all types of media

Forensic Hardware Tools: RoadMASSter-3 X2

RoadMASSter-3 X2 is a forensic ruggedized portable lab for hdd data acquisition and analysis

Forensic Laws

Rule 402 - General Admissibility of Relevant Evidence Rule 502 - Attorney-Client privilege and work product; Limitations on waiver Rule 608 - Evidence of character and conduct of witness

Chapter 2 Summary

Search warrant is an order from a judge that directs LE to search for a particular piece of evidence at a particular location

Service Provider search warrant

Service Provider search warrant allows first responders or investigators to consult the service provider and obtain the available victim's computer information and Service records, Billing records, Subscriber information

Setting up a CFL:

Setting up a CFL: Planning and budgeting Location and structural concerns. Work area considerations (50-63 sqft per station) no windows HR Considerations (certifications and experience)


Ensembles d'études connexes

Chapter 3. Harmony: Musical Depth

View Set

SIE Questions Review Chapter 1: Equities

View Set

Med Term Chapter 12 Test Questions

View Set

Pharmacology: Chapter 18 Adrenergic agonists

View Set

Social and Behavioral Research - Research in Public Elementary and Secondary Schools - SBE

View Set

Tutorials 7, 10-13 2nd Most Likely

View Set

Chapter 20 - Alterations of Hormonal Regulation (Patho)

View Set

HDI-CSR (Customer Service Representative) Practice Test

View Set

Supply Chain Exam 2 (Chapter 16)

View Set

Ch 12 Fundamentals of Management Control Systems (COST)

View Set