Module 1

BYOD

Bring Your Own Device

EAR

Export Administration Regulations

Field of Digital Forensics can also encompass:

Research Incident Response

"Digital Forensics" as defined by NIST

"Digital Forensics" as defined by NIST is: "the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data."

Fourth Amendment

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probably cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

3 Types of Situations in Private-Sector Environments

- Abuse or misuse of digital assets aka "company rules violation" - E-mail abuse - Internet abuse

Evidence-Custody Form Items

- Case number - Investigating organization - Investigator - Nature of case - Location evidence was obtained - Description of evidence - Vendor name - Model number or serial number - Evidence recovered by - Date and time - Evidence placed in locker - Item #/Evidence processed by/Disposition of evidence/Date/Time - Page

Systematic Approacj

- Make an initial assessment about the type of case you're investigating - Determine a preliminary design or approach to the case - Create a detailed checklist - Determine the resources you need - Obtain and copy an evidence drive - Identify the risks - Mitigate or minimize the risks - Test the design - Analyze and recover the digital evidence - Investigate the data you recover - Complete the case report - Critique the case

Gathering Resources

- Original storage media - Evidence custody form - Evidence container for the storage media, such as an evidence bag - Bit-stream imaging tool; in this case, FTK Imager Lite - Forensic workstation to copy and examine the evidence - Secure evidence locker, cabinet, or safe

Sample checklist for a company-policy violation case

- Situation - Nature of the case - Specifics of the case - Type of evidence - Known disk format - Location of evidence

Conducting Industrial Espionage Investigation Steps:

1 Gather all personnel assigned to the investigation and brief them on the plan and any concerns. 2 Gather the resources needed to conduct the investigation. 3 Start the investigation by placing surveillance systems, such as cameras and network monitors, at key locations. 4 Discreetly gather any additional evidence, such as the suspect's computer drive, and make a bit-stream image for follow-up examination. 5 Collect all log data from networks and e-mail servers, and examine them for unique items that might relate to the investigation. 6 Report regularly to management and corporate attorneys on your investigation's status and current findings. 7 Review the investigation's scope with management and corporate attorneys to determine whether it needs to be expanded and more resources added.

Conducting an ACP case

1 Request a memo from the attorney directing you to start the investigation. The memorandum must state that the investigation is privileged communication and list your name and any other associates' names assigned to the case. 2 Request a list of keywords of interest to the investigation. 3 After you have received the memorandum, initiate the investigation and analysis. Any findings you made before receiving the memorandum are subject to discovery by the opposing attorney. 4 For drive examinations, make two bit-stream images (discussed later in this chapter) of the drive, using a different tool for each image. This approach is advisable because every tool has its strengths and weaknesses. If you have large enough storage drives, make each bit-stream image uncompressed (refer to Chapter 3) so that if it becomes corrupt, you can still examine uncorrupted areas with your preferred forensics analysis tool. 5 Verify the hash values on all files on the original and re-created disks or its image file. 6 Methodically examine every portion of the drive (both allocated and unallocated data areas) and extract all data. 7 Run keyword searches on allocated and unallocated disk space. Follow up the searches to determine whether the results contain information that supports the case. 8 For Windows OSs, use specialty tools to analyze and extract data from the Registry, such as AccessData Registry Viewer or a Registry viewer program (discussed in more detail in Chapter 5). Use the Edit, Find menu option in Registry Editor, for example, to search for keywords of interest to the investigation. 9 For binary files, such as CAD drawings, find the correct program and, if possible, make printouts of the binary file content. If the files are too large, load the specialty program on a separate workstation with the recovered binary files so that the attorney can view them. 10 For unallocated data recovery, use a tool that removes or replaces nonprintable data. 11 Consolidate all recovered data from the evidence bit-stream image into well-organized folders and subfolders. Store the recovered data output, using a logical and easy-to-follow storage method for the attorney or paralegal.

Reducing the Risk of Litigation

1. Acceptable Use Policy 2. Warning Banner

General Steps for Investigation

1. Acquire the USB drive from the IT Department, which bagged and tagged the evidence 2. Complete an evidence form and establish a chain of custody 3. Transport the evidence to your digital forensics lab 4. Place the evidence in an approved secure container 5. Prepare your forensic workstations 6. Retrieve the evidence from the secure container 7. Make a forensic copy of the evidence drive (in this case, the USB drive). 8. Return the evidence drive to the secure container 9. Process the copied evidence drive with your digital forensics tools.

Conduct of Examination

1. Assess scope of the case: - OS, hardware, peripheral devices 2. Determine if resources are available to process all the evidence 3. Determine whether you have the right tools to collect and analyze evidence 4. Determine whether you need to call on other specialists to assist in collecting and processing evidence 5. After gathering resources, delegate, collect, and process information related to the complaint 6. After building your case, information is turned over to the prosecutor. As an investigator, you must then present the collected evidence with a report to the government's attorney

Recommended steps for E-mail Investigations

1. For computer-based -email data files, such as Outlook .pst or .ost files, use the standard forensics analysis techniques and procedures described in this book for the drive examination. 2. For server-based e-mail data files, contact the e-mail server administrator and obtain an electronic copy of the suspect's and victim's e-mail folder or data 3. For Web-based e-mail (Gmail, for example) investigations, search for Internet keywords to extract all related e-mail address information. 4. Examine header data of all messages of interest to the investigation

Two categories of Digital Investigations

1. Public-Sector Investigations 2. Private-Sector Investigations During PUBLIC investigations you search for evidence to support CRIMINAL alegations. During PRIVATE investigations, you search for evidence to support allegations of VIOLATIONS of a company's rules or an attack on its assets

Recommended steps for Internet Abuse case:

1. Use the standard forensic analysis techniques and procedures described for the disk drive examination 2. Search for and extract all Web page URL's and other associated information 3. Contact the network firewall administrator and request a proxy server log, if available, of the suspect computer's network device name or IP address for the dates of interest Consult with network administrator to confirm that these logs are maintained and how long the time to live (TTL) is set for the network's IP address assignments using Dynamic Host Configuration Protocol (DHCP) 4. Compare the data recovered from forensics analysis with the network server log data to confirm that they match 5. If the URL data matches the network server log and the forensic disk examination, continue analyzing the suspect computer's drive data, and collect any relevant photos or Web pages that support the allegation. If there are no matches between the network server logs, and the forensic examination shows no contributing evidence, report that the allegation is unsabstantiated.

The Investigations Triad

1. Vulnerability/threat assessment and risk management 2. Network intrusion detection and incident response 3. Digital investigations Each function operates independently but all three draw from one another when a large-scale investigation is being conducted.

Bit-Steam Copy

A bit-by-bit duplicate of data on the original storage medium. This process is usually called "acquiring an image," "making an image," or "forensic copy."

Interview

A conversation conducted to collect information from a witness or suspect about specific facts related to an investigation.

Approved Secure Container

A fireproof container locked by a key or combination. The approved secure container you need should be a locked, fireproof locker or cabinet that has limited access. Limited access means that only you and other authorized personnel can open the secure container.

Single-Evidence Form

A form that dedicates a page for each item retrieved for a case. It allows investigators to add more detail about exactly what was done to the evidence each time it was taken from the storage locker. See also evidence custody form.

Affidavit

A notarized document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation. Also called a "declaration" when the document isn't notarized. In a criminal or public-sector case, if the police officer or investigator has sufficient cause to support a search warrant, the prosecuting attorney might direct him or her to submit an affidavit (also called a "declaration").

Digital Evidence First Responder (DEFR)

A professional who - secures digital evidence at the scene and ensures its viability while transporting it to the lab. - has the skill and training to arrive on an incident scene, assess the situation, and take precautions to acquire and preserve evidence.

Digital Evidence Specialist (DES)

A specialist who - has the skill to analyze the data and determine when another specialist should be called in to assist with the analysis.

Warning Banners

A warning banner usually appears when a computer starts or connects to the company intranet, network, or virtual private network (VPN) and informs end users that the organization reserves the right to inspect computer systems and network traffic at will. Text displayed on computer screens when people log on to a company computer; this text states ownership of the computer and specifies appropriate use of the machine or Internet access.

Forensic Workstation

A workstation set up to allow copying forensic evidence, whether it's on a hard drive, flash drive, or the cloud. It usually has software preloaded and ready to use. Depending on your needs, a forensic workstation can use the following operating systems: - MS-DOS 6.22 - Windows 95, 98, or Me - Windows NT 3.5 or 4.0 - Windows 2000, XP, Vista, 7, 8, or 10 - Linux - Mac OS X and macOS Visit www.digitalintelligence.com to examine the specifications of the Forensic Recovery of Evidence Device (F.R.E.D.) unit or www.forensiccomputers.com to look at current products.

"Digital Forensics" according to DIBS USA, Inc.

According to DIBS USA, Inc., a privately owned corporation specializing in digital forensics since the 1990s (www.dibsforensics.com), digital forensics involves scientifically examining and analyzing data from computer storage media so that it can be used as evidence in court.

Hostile Work Environment

An environment in which employees can't perform their assigned duties because of the actions of others. In the workplace, these actions include sending threatening or demeaning e-mail or a co-worker viewing pornographic or hate sites.

Multi-Evidence Form

An evidence custody form used to list all items associated with a case. See also evidence custody form.

What challenge does BYOD pose?

BYOD is a major challenge in company security, digital investigations, and compliance with regulations, including company policies. Some companies simply state that if you connect a personal device to the business network, it falls under the same rules as company property

Gathering the Evidence

Before gathering evidence, remember you need antistatic bags and pads with wrist straps to prevent static electricity from damaging digital evidence 1 Arrange to meet the IT manager to interview him and pick up the storage media. 2 After interviewing the IT manager, fill out the evidence form, have him sign it, and then sign it yourself. 3 Store the storage media in an evidence bag, and then transport it to your forensic facility. 4 Carry the evidence to a secure container, such as a locker, cabinet, or safe. 5 Complete the evidence custody form. As mentioned, if you're using a multi-evidence form, you can store the form in the file folder for the case. If you're also using single-evidence forms, store them in the secure container with the evidence. Reduce the risk of tampering by limiting access to the forms. 6 Secure the evidence by locking the container.

Professional conduct

Behavior expected of an employee in the workplace or other professional setting. You must maintain objectivity and confidentiality during an investigation, expand your technical knowledge constantly, and conduct yourself with integrity. Maintaining objectivity means you form opinions based on your education, training, experience, and the evidence in your cases. Avoid making conclusions about your findings until you have exhausted all reasonable leads and considered the available facts.

DCFL

By the late 1990s, CART had teamed up with the Department of Defense Computer Forensics Laboratory for research and training. For more information on the FBI's cybercrime investigation services, see www.fbi.gov/investigate/cyber.

Investigating digital devices includes:

Collecting data securely Examining suspect data to determine details such as origin and content Presenting digital information to courts Applying laws to digital devices practices

Attorney-Client Privilege

Communication between an attorney and client about legal matters is protected as confidential communications. The purpose of having confidential communications is to promote honest and open dialogue between an attorney and client. This confidential information must not be shared with unauthorized people.

3 Stages of a Criminal Case

Complaint, Investigation, and Prosecution 1. Someone files a complaint 2. A specialist investigates the complaint 3. With the help of a prosecutor, the specialist collects evidence and builds a case. If the evidence is sufficient, the case might proceed to trial.

FBI "CART"

Computer Analysis and Response Team (CART) was formed in 1984 to handle the increase in cases involving digital evidence.

Digital Forensics vs Data Recovery

DATA RECOVERY Involves retrieving information that was deleted by mistake or lost during a power surge or server crash DIGITAL FORENSICS The task of recovering data that users have hidden or deleted, with the goal of ensuring that the recovered data is valid so that it can be used as evidence. Examiners often approach a digital device not knowing whether it contains evidence. They must search storage media and piece together any data they find. Forensics software tools can be used for most cases.

Digital Forensics vs Network Forensics

DIGITAL FORENSICS: - Used to investigate data that can be retrieved from a computer's HARD DRIVE or other STORAGE MEDIA. - Digital forensics examiners retrieve information from a computer or its components. - Information retrieved might already be on the drive, but it might not be easy to find or decipher. NETWORK FORENSICS yields information about: - How attackers gain access to a network - Files they might have copied, examined, or tampered with. - Use log files to determine when users logged on - Determine which URLs users accessed - How they logged on to the network, and from what location - Determine what tracks or new files were left behind on a victim's computer and changes were made

Write-Blockers

Enables you to boot to Windows without writing data to the evidence drive Many hardware write-blockers that connect to USB or FireWire ports are on the market. Several vendors sell write-blockers, including Digital Intelligence Ultra-Kit, UltraBlock FireFly FireChief 800 USB Write Blocker WiebeTECH Forensic DriveDock Guidance Software FastBloc Paralan's SCSI Write Blockers Tableu UltraBlock SAS Write Blocker Intelligent Computer Solutions (www.ics-iq.com) Image LinkMASSter Forensics Hard Case.

Exhibits

Evidence used in court to prove a case. It's your responsibility to write the affidavit, which must include exhibits (evidence) that support the allegation to justify the warrant. You must then have the affidavit notarized under sworn oath to verify that the information in the affidavit is true.

Planning considerations for Industrial Espionage Investigations

Examine all e-mail of suspected employees, both company-provided e-mail and free Web-based services. Search Internet forums or blogs for any postings related to the incident. Initiate physical surveillance with cameras on people or things of interest to the investigation. If available, examine all facility physical access logs for sensitive areas, which might include secure areas where smart badges or video surveillance recordings are used. If there's a suspect, determine his or her location in relation to the vulnerable resource that was compromised. Study the suspect's work habits. Collect all incoming and outgoing phone logs to see whether any unique or unusual places were called.

Case Law

Existing laws and statutes simply can't keep up with the rate of technological change. Therefore, when statutes or regulations don't exist, case law is used. In common law nations, such as the United States, case law allows legal counsel to apply previous similar cases to current ones in an effort to address ambiguity in laws. Although law enforcement can certainly confiscate anything an arrested person is carrying and log that a device, such as a smartphone, was on the person, they don't necessarily have the right or authority to search the device.

Private-sector Investigations

Focuses more on policy violations, such as not adhering to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. However, criminal acts, such as corporate espionage, can also occur. Although private-sector investigations often start as civil cases, they can develop into criminal cases; likewise, a criminal case can have implications leading to a civil case.

Inculpatory Evidence vs Exculpatory Evidence

INCULPATORY EVIDENCE aka Incriminating Evidence - Evidence that indicates a suspect is guilty of the crime he or she is charged with. EXCULPATORY EVIDENCE - Evidence that indicates the suspect is innocent of the crime.

ISO 27037 "Information technology - Security techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence" defines what?

ISO 27037 defines the personnel and methods for acquiring and preserving digital evidence See: https://www.iso.org/standard/44381.html

Authorized Requester

In a private-sector environment, the person who has the right to request or initiate an investigation, such as the chief security officer or chief intelligence officer.

Executing a search warrant

In general, after a judge approves and signs a search warrant, it's ready to be executed, meaning a DEFR can collect evidence as defined by the warrant. After you collect the evidence, you process and analyze it to determine whether a crime actually occurred. The evidence can then be presented in court in a hearing or trial.

ITAR

International Traffic in Arms Regulations

Public-sector Investigations

Involves government agencies responsible for criminal investigations and prosecution. Government agencies range from municipal, county, and state or provincial police departments to federal law enforcement agencies. These organizations must observe legal guidelines of their jurisdictions, such as Article 8 in the Charter of Rights of Canada and the Fourth Amendment to the U.S. Constitution restricting government search and seizure. The Department of Justice (DOJ) updates information on computer search and seizure regularly.

Private-sector Computer Crimes

Involves: - E-mail harassment - Gender and age discrimination - white-collar crimes (defined by the FBI, www.fbi.gov/investigate/white-collar-crime) such as: -- falsification of data -- embezzlement --sabotage -- industrial espionage Anyone with access to a computer can commit these crimes.

Search Warrants

Legal documents that allow law enforcement to search an office, a home, or other locale for evidence related to an alleged crime.

Incident Response & Research in Digital Forensics

Most organizations are concerned with protecting their assets and containing the situation, not necessarily prosecuting or finding the person responsible Research in digital forensics also isn't concerned with prosecution or validity of evidence.

NIST

National Institute of Standards and Technology (NIST)

Analysis Tools

OSForensics Forensic Explorer EnCase FTK X-Ways Forensics LibreOffice IrfanView

Image Tip

Occasionally, the track and sector maps on the original and target disks don't match, even if you use disks of exactly the same size that are different makes or models. Tools such as Guidance EnCase and NTI SafeBack adjust for the target drive's geometry. One other tool, X-Ways WinHex Specialist Edition, can copy sector by sector to equal-size or larger disks without needing to force changes in the target disk's geometry.

FIRST RULE OF DIGITAL FORENSICS

Preserve the original evidence Then conduct your analysis only on a copy of the data

Conducting Private-sector Investigations

Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes, such as wrongful termination. When conducting an investigation for a private company: - remember that business must continue with minimal interruption from your investigation and businesses usually focus on continuing their usual operations and making profits - consider your investigation and apprehension of a suspect secondary to stopping the violation and minimizing damage or loss to the business - Businesses also strive to minimize or eliminate litigation, which is an expensive way to address criminal or civil issues.

Digital Forensics

Securing and analyzing digital information stored on a computer for use as evidence in civil, criminal, or administrative cases

Penetration Testers

Test for vulnerabilities of OSs and applications used in the network and conduct AUTHORIZED attacks on the network to assess vulnerabilities Typically have several years of experience in system administration Their job is to poke hoes in the network to help an organization be better prepared for a real attack

Fourth Amendment as it pertains to Digital Forensics

The Fourth Amendment to the U.S. Constitution (and each state's constitution) protects everyone's right to be secure in their person, residence, and property from search and seizure. Continuing development of the jurisprudence of this amendment has played a role in determining whether the search for digital evidence has established a different precedent, so separate search warrants might not be necessary. However, when preparing to search for evidence in a criminal case, many investigators still include the suspect's computer and its components in the search warrant to avoid later admissibility problems.

"Digital Forensics" - as defined by Ket Zatyko, former director of the Defense Computer Forensics Laboratory (DCFL)

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence (information of probative value that is stored or transmitted in binary form) after proper search authority, chain of custody, validation with mathematics (hash function), use of validated tools, repeatability, reporting and possible expert presentation"

Verdict

The decision returned by a jury. A judge or an administrative law judge then renders a judgment, or a jury hands down a verdict (after which a judge can enter a judgment).

Conducting an Industrial Espionage Investigation staff

The digital investigator who's responsible for disk forensic examinations The technology specialist who is knowledgeable about the suspected compromised technical data The network specialist who can perform log analysis and set up network monitors to trap network communication of possible suspects The threat assessment specialist (typically an attorney) who's familiar with federal and state laws and regulations related to ITAR or EAR and industrial espionage The International Competition Network has established guidelines (available at www.internationalcompetitionnetwork.org/uploads/library/doc627.pdf) for digital evidence gathering in private-sector settings; they're used by more than 90 jurisdictions.

Bit-Stream Image

The file where the bitstream copy is stored; usually referred to as an "image," "image save," or "image file."

E-mail Abuse Investigations

The following list is what you need for an investigation involving e-mail abuse: - An electronic copy of the offending e-mail that contains message header data; consult with your e-mail server administrator - If available, e-mail server log records; consult with your e-mail server administrator to see whether they are available - For e-mail systems that store user's messages on a central server; access to the server; consult with your e-mail server administrator - For e-mail systems that store user's messages on a computer as an Outlook /pst or .ost file, for example, access to the computer so that you can perform a forensic analysis on it - Your preferred digital forensics analysis tool

Vulnerability/Threat Assessment and Risk Management

The group that determines the weakest points in a system. It covers physical security and the security of OSs and applications. - Test and verify the integrity of stand-alone workstations and network servers - Integrity checks cover the physical security of systems and of Operating Systems (OSs) and applications - People working in this group aka Penetration Testers

Search and Seizure

The legal act of acquiring evidence for an investigation. See also Fourth Amendment.

Acceptable Use Policy

The most important policy to define rules for using the company's computers and networks. Organizations should have all employees sign this acceptable use agreement Published company policies also provide a line of authority for conducting internal investigations; it states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence.

Line of Authority

The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence, and have access to evidence.

Interrogation

The process of trying to get a suspect to confess to a specific incident or crime.

Chain of Custody

The route evidence takes from the time the investigator obtains it until the case is closed or goes to court.

Industrial Espionage

Theft of company sensitive or proprietary company information often to sell to a competitor.

Network Intrusion Detection and Incident Response

This group detects intruder attacks by using automated tools and monitoring network firewall logs. When an external attack is detected, the response team tracks, locates, and identifies the intrusion method and denies further access to the network. If an intruder launches an attack that causes damage or potential damage, this team collects the necessary evidence, which can be used for civil or criminal litigation against the intruder and to prevent future intrusions. If an internal user is engaged in illegal acts or policy violations, the network intrusion detection and incident response group might assist in locating the user. Example: someone at a community college sends e-mails containing a worm to other users on the network. The network team realizes the e-mails are coming from a node on the internal network, and the security team focuses on that node.

Digital Investigations

This group manages investigations and conducts forensics analysis of systems suspected of containing evidence related to an incident or a crime. For complex casework, this group draws on resources from personnel in Vulnerability Assessment, Risk Management, and Network Intrusion Detection and Incident Response. However, the digital investigations group typically resolves or terminates case investigations.

2 Training Categories for Officers

To differentiate the training and experience officers have, ISO standard 27037 (www.iso.org/standard/44381.html) defines two categories: 1. Digital Evidence First Responder (DEFR) 2. Digital Evidence Specialist (DES)

The Federal Rules of Evidence (FRE) was signed into law in 1973 was created to do what?

To ensure consistency in federal proceedings

Due Process

Well-defined policies give computer investigators and forensics examiners the authority to conduct an investigation. Policies also demonstrate that an organization intends to be fair-minded and objective about how it treats employees and state that the organization will follow due process for all investigations. Without defined policies, a business risks exposing itself to litigation from current or former employees.

Preparing for an Interview/Interrogation

What questions do I need to ask the suspect to get the vital information about the case? Do I know what I'm talking about, or will I have to research the topic or technology related to the investigation? Do I need additional questions to cover other indirect issues related to the investigation? Ingredients for Success: Being patient throughout the session Repeating or rephrasing questions to zero in on specific facts from a reluctant witness or suspect Being tenacious

Police Blotter

When a report about a crime is written, the law enforcement agency processes the report. and management decides to start an investigation or log the information into a POLICE BOTTER which provides a record of information about crimes that have been committed previously. Criminals often repeat actions in their illegal activities, and these patterns can be discovered by examining police blotters. This historical knowledge is useful when conducting investigations, especially in high-technology crimes. Blotters now are generally electronic files, often structured as databases, so they can be searched more easily than the old paper blotters. Example: https://spdblotter.seattle.gov/

Setting Up Your Workstation for Digital Forensics

With current digital forensics hardware and software, configuring a computer workstation or laptop as a forensic workstation is simple. All that's required are the following: - A workstation running Windows 7 or later - A write-blocker device - Digital forensics acquisition tool - Digital forensics analysis tool - A target drive to receive the source or suspect disk data - Spare PATA and SATA ports - USB ports Additional useful items include the following: - Network interface card (NIC) - Extra USB ports - FireWire 400/800 ports - SCSI card - Disk editor tool - Text editor tool - Graphics viewer program - Other specialized viewing tools

Conducting public-sector investigations

You must understand laws on computer related crimes: standard legal processes, guidelines on search and seizure, and how to build a criminal case

Internet Abuse Investigations

You need the following: - The organization's Internet proxy server logs - Suspect computer's IP address obtained from your organization's network administrator - Suspect computer's disk drive - Your preferred digital forensics analysis tool

Evidence Custody Form

aka Chain-of-Evidence form A printed form indicating who has signed out and been in physical possession of evidence.