Chapter 2
A search warrant
A search warrant is a written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location
Forensic Software Tools: AccessData FTK
AccessData FTK court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis.
Chapter 2 Summary
All digital evidence must be stored in a container, which must be secured to prevent unauthorized access
Forensic Software Tools: Autopsy digital forensics platform
Autopsy digital forensics platform and gui can be used with The Sleuth Kit® and other digital forensics tools.
Best Practices
Best Practices Get authorization to conduct the investigation, from an authorized decision maker Document all the events and decisions at the time of the incident and incident response
Forensic Hardware Tools: Data Recovery Stick
Data Recovery Stick can recover deleted files.
Dealing with Networked Computer
Dealing with Networked Computer If the victim's computer has an Internet connection, the first responder must follow the following procedure in order to protect the evidence:
Dealing with Powered Off Computers
Dealing with Powered Off Computers At this point of the investigation, do not change the state of any electronic devices or equipment: If it is switched OFF, leave it OFF If a monitor is switched OFF and the display is blank:
Forensic Investigation Team: Decision Maker
Decision Maker: The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident.
Chapter 2 Summary
Documentation of the electronic crime scene is a continuous process during the investigation that creates a permanent record of the scene
Documentation of the electronic crime scene
Documentation of the electronic crime scene is a continuous process during the investigation, making a permanent record of the scene. It includes photographing and sketching of the scene.
Electronic storage device warrant
Electronic storage device warrant allows the first responder to search and seize the victim's computer components such as HW/SW, Storage devices, Documentation
Forensic Hardware Tools: WriteProtect-DESKTOP
WriteProtect-DESKTOP provides secure, read-only write-blocking of suspect hard drives.
Forensic Hardware Tools: ZX-Tower
ZX-Tower provides secure sanitization of hard disk
Forensic Investigation Team: Evidence Documenter
Evidence Documenter:gathers info and documents it from incident occurrence to the end of the investigation.
Forensic Investigation Team: Evidence Examiner/Investigator
Evidence Examiner/Investigator: Examines the evidence acquired and sorts the useful evidence.
Forensic Investigation Team: Evidence Manager
Evidence Manager: has all the information about the evidence:name, evidence type, time, source of evidence, etc. manages and maintains a record of the evidence such that it is admissible in the court of law.
Exhibit numbering aaa/ddmmyy/nnnn/zz:
Exhibit numbering is the process of tagging evidence with sequential number, which includes case and evidence details. This will allow the investigator to easily identify the evidence and know about its details.
Forensic Investigation Team: Expert Witness
Expert Witness: Offers a formal opinion as a testimony in a court of law.
Forensic Hardware Tools: FRED
FRED systems are optimized for stationary laboratory acquisition and analysis. FRED will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives.
Forensic Software Tools: EnCase
Guidance Software's EnCase Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust
Forensic Laws
Forensic Laws 18 USC §1029 - Fraud and related activity in connection with access devices 18 USC §1030 - Fraud and related activity in connection with computers
Tools to obtain information from different common social media websites: continued
Forensic Software H&A forensics, Geo360, Navigator by LifeRaft Social, Emotive, etc.
Image Integrity Tools:
Image Integrity Tools: HashCalc-created MD5 hash for files, text and hex strings; 13 different algorithms
Forensic Hardware Tools: Image MASSterTM Wipe PRO
Image MASSterTM Wipe PRO is a hard Drive Sanitization Station.
TEMPEST
TEMPEST is an unclassified short name referring to investigations and studies of compromising emanations. Compromising emanations are unintentional intelligence-bearing signals that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment."
Forensic Hardware Tools: Tableau T8-R2 Forensic USB Bridge
Tableau T8-R2 Forensic USB Bridge offers secure, hw-based write blocking of USB storage devices.
Forensic Software Tools: The Sleuth Kit
The Sleuth Kit cmd line tools with C library is used to analyze disk images and recover files from them.
Chain of Custody is: continued
The chain of custody administers the collection, handling, storage, testing, and disposition of evidence. It helps to ensure protection of evidence against tampering or substitution of evidence. Chain of custody documentation should list all the people involved in the collection and preservation of evidence and their actions, with a stamp for each activity.
computer forensics investigation process
The computer forensics investigation process includes a methodological approach for preparing for the investigation, collecting and analyzing evidence, and managing the case from reporting to the conclusion.
Exhibit numbering aaa/ddmmyy/nnnn/zz: continued
The investigators should mark all the evidence in a pre-agreed format, such as: aaa/ddmmyy/nnnn/zz.
Image Integrity Tools: Data Analysis Tools Sleuth Kit continued
The plug-in framework also allows incorporating additional modules to analyze file contents and build automated systems. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.
Chapter 2 Summary
To preserve the integrity of the physical evidence, all evidence collected should be handled carefully
Tools to obtain information from different common social media websites:
Tools to obtain information from different common social media websites: Netvizz, twecoll, divud, Digitalfootprints, Netlytic, X1 Social Discovery, Facebook
Forensic Laws
18 USC §1361-2 - Prohibits malicious mischief
Forensic Laws
18 USC §2252A -law about child pornography 18 USC §2252B -misleading domains on Internet
Forensic Laws
18 USC §2702 - voluntary disclosure of contents to government and non-government entities
Forensic Laws
42 USC §2000AA -Privacy Protection Act, special steps to take during seizure that don't prevent freedom of expression
Image Integrity Tools: Recover Lost or Deleted Data
Advanced Disk Recovery-quick or deep scan for lost or deleted files UndeletePlus-same as above
Preserving Electronic Evidence: Continued
Check the connections of the telephone modem, cable, ISDN, and DSL Remove the power plug from the router or modem
Investigation Methodology: continued
Data Analysis Evidence Assessment Documentation and Reporting Testify as an Expert Witness
Image Integrity Tools: Data Analysis Tools
Data Analysis Tools FTK Imager- data preview and imaging tool that enables analysis of files and folders on local hard drives, CDs/DVDs, network drives, and examination of the content of forensic images or memory dumps. FTK Imager can also create MD5 or SHA1 hashes of files, review and recover files deleted from the Recycle Bin, export files and folders from forensic images to disk and mount a forensic image to view its contents in Windows Explorer.
Best Practices: continued
Depending on the scope of the incident and presence of any national security issues or life safety issues, the first priority is to protect the organization from further harm
Image Integrity Tools: Data Analysis Tools
EnCase Forensic- popular multi-purpose forensic platform that includes many useful tools to support several areas of the digital forensic process. It also generates an evidence report. EnCase Forensic can help investigators acquire large amounts of evidence, as fast as possible from laptops and desktop computers to mobile devices. EnCase Forensic directly acquires the data and integrates the results into the cases.
Image Integrity Tools: continued
HashMyFiles-calculate MD5 hash on one or more files. Can also display MD5 hashes of files or folders
Documentation of the electronic crime scene: continued
If the evidence gathered by the CFP suggests that the suspect has committed a crime, he or she will produce that evidence in court. If the evidence suggests that the suspect has breached company policy, the CFP will hand over the evidence at the corporate enquiry.
Documentation of the electronic crime scene: continued
If the suspect is present at the time of the search and seizure, the incident manager or the laboratory manager may consider asking some questions. However, they must comply with the relevant human resources or legislative guidelines with regard to their jurisdiction
Dealing with Networked Computer: Continued
Keep the collected evidence away from magnets, high temperature, radio transmitters, and other elements that may damage the integrity of the evidence Document all the steps that involved in searching and seizing the victim's computer for later investigation
Image Integrity Tools: continued
MDF Calculator-view MD5 hash to compare to provided hash value
Dealing with Powered Off Computers: continued
Move the mouse slightly. If the screen does not change, do not perform any other keystroke. Photograph the screen.
Preserving Electronic Evidence: Continued
Photograph the connections between the computer system and the related cables, and label them Label every connector and cable connected to the peripheral devices
Setting up a CFL: continued
Physical security recommendations. Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025
Forensic Investigation Team: Attorney
Attorney: legal advice about the investigation, and legal issues involved in the forensics investigation process.
Image Integrity Tools: Recover Lost or Deleted Data
Recover My Files-recover deleted files emptied from recycle bin, accidental format, hard disk crash, etc.
Image Integrity Tools: Recover Lost or Deleted Data
Recuva-recover all types of lost files from disk or removable media
Preserving Electronic Evidence: Continued
Remove any portable disks that are available at the scene to safeguard potential evidence Keep the tape on drive slots and the power connector Photograph the connections between the computer system and the related cables, and label them Label every connector and cable connected to the peripheral devices
Preserving Electronic Evidence: Continued
Remove the power cable, depending on the power state of the computer, i.e., ON, OFF, or in sleep mode Do not turn ON the computer if it is in the OFF state Take a photo of the monitor screen if the computer is in the ON state
Forensic Laws
Rule 1002 - Requirement of original Rule 1003 - Admissibility of duplicates Rule 1004 - Admissibility of other evidence of Content
Forensic Laws
Rule 609 - Impeachment by evidence of a criminal conviction Rule 614 - Calling and interrogation of witnesses by court Rule 701 - Opinion testimony by lay witnesses
Forensic Laws
Rule 705 - Disclosure of facts or data underlying expert opinion Rule 801 - hearsay Rule 901 - Authenticating or Identifying Evidence
Image Integrity Tools: Data Analysis Tools
The Sleuth Kit (TSK) -library and collection of command line tools that allows investigating disk images. The core functionality of TSK allows analyzing volume and filing system data.
Dealing with Powered Off Computers: continued
Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes and photograph the screen. If a monitor is switched ON and the display is blank
Dealing with Networked Computer: Continued
Unplug all the cords and devices connected to the computer and label them for later identification Unplug the main power cord from the wall socket Pack the collected electronic evidence properly and place it in a static-free bag
Dealing with Networked Computer: Continued
Unplug the network cable from the router and modem internet can make it vulnerable to further attack Don't use the pc for evidence search because it may alter or change the integrity of the existing evidence
Exhibit numbering aaa/ddmmyy/nnnn/zz: continued
aaa are the initials of the forensic analyst or law enforcement officer seizing the equipment. dd/mm/yy is the date of seizure.
Phases Involved in the Computer Forensics Investigation Process Pre-investigation Phase:
acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. implementing the technical knowledge to find evidence, examine, document, and preserve the findings.
Phases Involved in the Computer Forensics Investigation Process Post-investigation Phase:
ensure report provides adequate and acceptable evidence. report should comply with all local laws and standards it should be legally sound and acceptable in the court of law.
Exhibit numbering aaa/ddmmyy/nnnn/zz: continued
nnnn is the sequential number of the exhibits seized by aaa, starting with 001 and going to nnnn. zz is the sequence number for parts of the same exhibit (e.g., 'A' could be the CPU, 'B' the monitor, 'C' the keyboard, etc.)
Phases Involved in the Computer Forensics Investigation Process Pre-investigation Phase:
planning the process, defining mission goals, and securing the case perimeter and devices involved. Investigation Phase: Main phase of the computer forensics investigation performed by professionals acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. implementing the technical knowledge to find evidence, examine, document, and preserve the findings.
"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David, 756 F. Supp. 1385, 1392 (D. Nev. l991). Agents may search a place or object without a warrant or probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)
"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David, 756 F. Supp. 1385, 1392 (D. Nev. l991). Agents may search a place or object without a warrant or probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)
Checklist to Prepare for a Computer Forensics Investigation
1 Do not turn the computer off or on, run any programs, or attempt to access data on the computer. 2 Secure any relevant media including hard drives, cell phones, DVDs, USB drives, etc subject may have used
Checklist to Prepare for a Computer Forensics Investigation: continued
3 Suspend document destruction and recycling that may pertain to relevant media or users at the time of issue 4 Perform a preliminary assessment of the crime scene and identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination
Chapter 2 Summary
3 phases in Computer Forensics Investigation Process, Pre-investigation, Investigation and Post-Investigation
Checklist to Prepare for a Computer Forensics Investigation: continued
5 Once the machine is secured, obtain info about the machine, the peripherals, and network where connected 6 If possible, obtain passwords to access encrypted or password-protected files
Checklist to Prepare for a Computer Forensics Investigation: continued
7 Compile a list of names, e-mails, and other info of those with whom the subject might have communicated 8 If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred. If possible, find out why the pc was accessed
Checklist to Prepare for a Computer Forensics Investigation: continued
9 Maintain a chain of custody for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession. 10 Create a list of key words or phrases to use when searching for relevant data
Chapter 2 Summary
A CFL is a location designated for conducting a computer-based investigation on the collected evidence
Forensic Software Tools: Cain & Abel
Cain & Abel pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols.
Forensic Software Tools: Capsa sniffer
Capsa sniffer supports for over 300 network protocols
Chain of Custody is
Chain of Custody is a legal document that demonstrates the progression of evidence as it travels from the original evidence location to the forensic laboratory. It is a roadmap that shows how investigators collected, analyzed, and preserved the evidence.
Forensic Software Tools: FileMerlin
FileMerlin converts word processing, xls, ppt and database files between a wide range of file formats
Chapter 2 Summary
Final report should include what the investigator did during the investigation, and what he or she found
Forensic Investigation Team: Incident Analyzer
Incident Analyzer: Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulnerabilities associated with it
Forensic Investigation Team: Incident Responder
Incident Responder: Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident
The following are the Computer Forensics Investigation Methodology:
Investigation Methodology: First Response Search and Seizure Collect the Evidence Secure the Evidence Data Acquisition
Chain of Custody is: continued
It ensures accurate auditing of the original data evidence, imaging of the source media, tracking of the logs, and so on. The chain of custody shows the technology used and the methodology adopted in the forensic phases as well as the persons involved in it.
Forensic Software Tools: L0phtCrack
L0phtCrack is a password auditing and recovery software
Chapter 2 Summary
Make a duplicate of the collected data so as to preserve the original
Forensic Software Tools: NIST Computer Forensic Tool Testing Project (CFTT)
NIST has launched the Computer Forensic Tool Testing Project (CFTT), which establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."
Forensic Software Tools: Nuix Corporate Investigation Suite
Nuix Corporate Investigation Suite used to collect, process, analyze, review, and report evidence.
Forensic Software Tools: Ophcrack
Ophcrack is a free GUI driven Windows password cracker based on rainbow tables
Forensic Software Tools: Oxygen Forensic Kit
Oxygen Forensic Kit is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field.
Forensic Software Tools: PALADIN
PALADIN is a modified "live" Linux distribution based on the PALADIN Toolbox.
Forensic Hardware Tools: PC-3000 Data Extractor
PC-3000 Data Extractor diagnoses and fixes file system issues, so that the client's data can be obtained.
Forensic Hardware Tools: PC-3000 Flash
PC-3000 Flash is a hardware and software suite for recovering flash- based storage
Forensic Hardware Tools: Paraben's Chat Stick
Paraben's Chat Stick is a thumb drive device that will search the entire computer and scan it for chat logs
Forensic Hardware Tools: Paraben's StrongHold Faraday Bags
Paraben's StrongHold Faraday Bags block out wireless signals to protect evidence.
Forensic Investigation Team: Photographer
Photographer: Photographs the crime scene and all evidence. Should have an authentic certification.
Phases Involved in the Computer Forensics Investigation Process Post-investigation Phase:
Post-investigation Phase: Reporting and documentation of all the actions undertaken and the findings during the course of an investigation. Ensure that the target audience can easily understand the report
Phases Involved in the Computer Forensics Investigation Process Pre-investigation Phase:
Pre-investigation Phase: all the tasks performed prior to the commencement of the actual investigation setting up a computer forensics lab(CFL), toolkit, and workstation the investigation team and getting approval from the relevant authority
Preserving Electronic Evidence
Preserving Electronic Evidence Document the actions and changes observed on the monitor, system, printer, or other electronic devices Verify that the monitor is ON, OFF, or in sleep mode
Forensic Software Tools: R-Drive Image
R-Drive Image utility that provides creation of disk image files for backup or duplication purposes.
Forensic Hardware Tools: RAPID IMAGE 7020 X2
RAPID IMAGE 7020 X2 designed to copy one "Master" hard drive to up to 19 "Target" hard drives
Forensic Software Tools: Recuva
Recuva recover lost pictures, music, docs, video, email, or other file type from all types of media
Forensic Hardware Tools: RoadMASSter-3 X2
RoadMASSter-3 X2 is a forensic ruggedized portable lab for hdd data acquisition and analysis
Forensic Laws
Rule 402 - General Admissibility of Relevant Evidence Rule 502 - Attorney-Client privilege and work product; Limitations on waiver Rule 608 - Evidence of character and conduct of witness
Chapter 2 Summary
Search warrant is an order from a judge that directs LE to search for a particular piece of evidence at a particular location
Service Provider search warrant
Service Provider search warrant allows first responders or investigators to consult the service provider and obtain the available victim's computer information and Service records, Billing records, Subscriber information
Setting up a CFL:
Setting up a CFL: Planning and budgeting Location and structural concerns. Work area considerations (50-63 sqft per station) no windows HR Considerations (certifications and experience)