Module 1 - Understanding the Digital Forensics Profession and Investigations

A basic investigation plan should include the following activities:

- Acquire the evidence - Complete an evidence form and establish a chain of custody - Transport the evidence to a computer forensics lab - Secure evidence in an approved secure container

Steps for problem solving (cont'd)

- Identify the risks - Mitigate or minimize the risks - Test the design - Analyze and recover the digital evidence - Investigate the data you recover - Complete the case report - Critique the case

Systematic Approach (Steps for problem solving)

- Make an initial assessment about the type of case you are investigating - Determine a preliminary design or approach to the case - Create a detailed checklist - Determine the resources you need - Obtain and copy an evidence drive

Digital investigations fall into two categories

- Public-sector investigations - Private-sector investigations

Assessing the Case (Systematically outline the case details)

- Situation - Nature of the case - Specifics of the case - Type of evidence - Known disk format - Location of evidence

Private-sector investigations

-Involve private companies and lawyers who address company policy violations and litigation disputes - Businesses strive to minimize or eliminate litigation

Investigating digital devices

Collecting data securely Examining suspect data to determine details such as origin and content Presenting digital information to courts Applying laws to digital device practices

Network intrusion detection and incident response

Detects intruder attacks by using automated tools and monitoring network firewall logs

Private-sector crimes

E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage

Business can avoid litigation by displaying a warning banner on computer screens

Informs end users that the organization reserves the right to inspect computer systems and network traffic at will

Public-sector investigations

Involve government agencies responsible for criminal investigations and prosecution; focus more on policy violations

Digital investigations

Manages investigations and conducts forensics analysis of systems suspected of containing evidence

A basic investigation plan (cont'd)

Prepare your forensics workstation - Retrieve the evidence from the secure container - Make a forensic copy of the evidence - Return the evidence to the secure container - Process the copied evidence with computer forensics tools

Chain of custody

Route the evidence takes from the time you find it until the case is closed or goes to court

Vulnerability/threat assessment and risk management

Tests and verifies the integrity of stand-along workstations and network servers

Digital forensics

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

Two types of custody form

Two types - Single-evidence form • Lists each piece of evidence on a separate page - Multi-evidence form

Securing Your Evidence

Use evidence bags to secure and catalog the evidence • Use computer safe products when collecting computer evidence - Antistatic bags - Antistatic pads • Use well padded containers • Use evidence tape to seal all openings - CD drive bays - Insertion slots for power supply electrical cords and USB cables

Digital Forensics

Vulnerability/threat assessment and risk management Network intrusion detection and incident response Digital investigations

FBI Computer Analysis and Response Team (CART)

formed in 1984 to handle cases involving digital evidence; By late 1990s, CART teamed up with Department of Defense Computer Forensics Laboratory (DCFL)

An evidence custody form

helps you document what has been done with the original evidence and its forensics copies; Also called a chain-of-evidence form

Fourth Amendment to the U.S. Constitution

protects everyone's right to be secure from search and seizure.

Line of authority

states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

Federal Rules of Evidence (FRE)

was created to ensure consistency in federal proceedings - Signed into law in 1973 - Many states' rules map to the FRE