CHFI V9
Guidance Software's EnCase
Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust
Recuva
recover lost pictures, music, docs, video, email, or other file type from all types of media
Cybercrime
refers to "any illegal act that involves a computer, its systems, or its applications."
Administrative Investigation
refers to an internal investigation by an organization to discover if its employees, clients and partners are abiding by the rules or policies. Violation of company policies. • Involves an agency or government performing inquiries to identify facts with reference to its own management and performance • Non-criminal in nature and related to misconduct or activities of an employee that includes but are not limited to: o Violation of organization's policies, rules, or protocols. Resource misuse or damage or theft o Threatening or violent behavior. Sexual Exploitation, harassment and abuse o Improper promotion or pay raise, corruption and bribery
Forensic Readiness
refers to an organization's ability to make optimal use of digital evidence in a limited period and with minimal investigation costs. It includes technical and nontechnical actions that maximize an organization's competence to use digital evidence.
Admissible Evidence
relevant to the case, act in support of the client presenting it, and be well communicated and non-prejudiced.
Capsa
sniffer with support for over 300 network protocols
Computer Forensic Tool Testing Project (CFTT),
which establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."
search warrant
written order issued by a judge that directs a law enforcement officer to search for a particular piece of evidence at a particular location
Forensic Laws
• 18 USC §1029 - Fraud and related activity in connection with access devices • 18 USC §1030 - Fraud and related activity in connection with computers • 18 USC §1361-2 - Prohibits malicious mischief [page 986 references] • 18 USC §2252A -law about child pornography • 18 USC §2252B -misleading domains on Internet [page not in book, but related to ECPA; page 76] • 18 USC §2702 - voluntary disclosure of contents to government and non-government entities [page 76] • 42 USC §2000AA -Privacy Protection Act, special steps to take during seizure that don't prevent freedom of expression [page 77] • Rule 402 - General Admissibility of Relevant Evidence • Rule 502 - Attorney-Client privilege and work product; Limitations on waiver • Rule 608 - Evidence of character and conduct of witness • Rule 609 - Impeachment by evidence of a criminal conviction • Rule 614 - Calling and interrogation of witnesses by court • Rule 701 - Opinion testimony by lay witnesses • Rule 705 - Disclosure of facts or data underlying expert opinion [page 21] • Rule 801 - hearsay [page 77] • Rule 901 - Authenticating or Identifying Evidence [page 77 and page 28] • Rule 1002 - Requirement of original • Rule 1003 - Admissibility of duplicates [page 28] • Rule 1004 - Admissibility of other evidence of Content
Rule 705
Disclosure of facts or data underlying expert opinion
Enterprise Theory of Investigation (ETI)
ETI is a methodology for investigating criminal activity. It adopts a holistic approach toward any criminal activity as a criminal operation rather than as a single criminal act.
Paraben's StrongHold
Faraday Bags block out wireless signals to protect evidence.
Digital Forensics Challenge
Forensic investigators face many challenges during forensics investigation of a digital crime, such as extracting, preserving, and analyzing the digital evidence. For example, system data that an intruder can easily change or destroy should have priority while assembling the evidence.
18 USC §1029
Fraud and related activity in connection with access devices
18 USC §1030
Fraud and related activity in connection with computers
Rule 402
General Admissibility of Relevant Evidence
18 USC §1361-2
Prohibits malicious mischief
Best Evidence Rule
The best evidence rule is to prevent any alteration of digital evidence, either intentionally or unintentionally.
RoadMASSter-3 X2
a forensic ruggedized portable lab for hdd data acquisition and analysis.
Image MASSterTM Wipe PRO
a hard Drive Sanitization Station.
PC-3000 Flash
a hardware and software suite for recovering flash- based storage
Paraben's Chat Stick
a thumb drive device that will search the entire computer and scan it for chat logs
Service Provider search warrant
allows first responders or investigators to consult the service provider and obtain the available victim's computer information and Service records, Billing records, Subscriber information
Electronic storage device warrant
allows the first responder to search and seize the victim's computer components such as HW/SW, Storage devices, Documentation
Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973).
"When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David, 756 F. Supp. 1385, 1392 (D. Nev. l991). Agents may search a place or object without a warrant or probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973).
Checklist to Prepare for a Computer Forensics Investigation
1 Do not turn the computer off or on, run any programs, or attempt to access data on the computer. 2 Secure any relevant media including hard drives, cell phones, DVDs, USB drives, etc subject may have used 3 Suspend document destruction and recycling that may pertain to relevant media or users at the time of issue 4 Perform a preliminary assessment of the crime scene and identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination 5 Once the machine is secured, obtain info about the machine, the peripherals, and network where connected 6 If possible, obtain passwords to access encrypted or password-protected files 7 Compile a list of names, e-mails, and other info of those with whom the subject might have communicated 8 If the computer is accessed before the forensic expert is able to secure a mirror image, note the user(s) who accessed it, what files accessed, and when access occurred. If possible, find out why the pc was accessed 9 Maintain a chain of custody for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession. 10 Create a list of key words or phrases to use when searching for relevant data
Standards and Criteria
1.1 All agencies that seize and/or examine digital evidence must maintain an appropriate SOP document. [page 30] 1.2 Agency mgmt. must review SOPs on an annual basis to ensure their continued suitability and effectiveness. 1.3 SOPs must be generally accepted or supported by data gathered and recorded in a scientific manner. 1.4 The agency must maintain written copies of the appropriate technical procedures. 1.5 The agency must use hw and sw that is appropriate and effective for the seizure/examination procedure. 1.6 All activities related to the seizure, storage, examination, or transfer of digital evidence must be recorded in writing and be available for review and testimony. 1.7 Any action that has the potential to alter, damage, or destroy any aspect of original evidence must be performed by qualified persons in a forensically sound manner
Rules of Forensics Investigation
A forensic examiner must keep in mind certain rules to follow during a computer forensic examination, as well as to handle and analyze the evidence. This will safeguard the integrity of the evidence and render it acceptable in a court of law. The forensic examiner must make duplicate copies of the original evidence and start by examining only the duplicates. The duplicate copies must be accurate replications of the originals, and the forensic examiner must also authenticate the duplicate copies to avoid questions about the integrity of the evidence. The computer forensic examiner must not continue with the investigation if the examination is going to be beyond his or her knowledge level or skill level.
Rule 1003
Admissibility of duplicates
Rule 1004
Admissibility of other evidence of Content
Characteristics of Digital Evidence
Admissible Evidence relevant to the case, act in support of the client presenting it, and be well communicated and non-prejudiced. Authentic investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence with details such as source and its relevance to the case. If necessary, they must also furnish details such as author of the evidence or path of transmission. Complete must either prove or disprove the consensual fact in the litigation [page 15] Reliable extract and handle the evidence while maintaining a record of the tasks performed during the process to prove that the evidence is dependable. Forensic investigation is conducted only on the copies of evidence. Believable present evidence in a clear manner to the jury and obtain expert opinions where necessary
Incident Analyzer
Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulns associated with it
Dealing with Powered Off Computers
At this point of the investigation, do not change the state of any electronic devices or equipment: • If it is switched OFF, leave it OFF If a monitor is switched OFF and the display is blank: • Turn the monitor ON, move the mouse slightly, observe the changes from a blank screen to another screen, and note the changes and photograph the screen. If a monitor is switched ON and the display is blank • Move the mouse slightly. If the screen does not change, do not perform any other keystroke. • Photograph the screen.
Rule 502
Attorney-Client privilege and work product; Limitations on waiver
Rule 901
Authenticating or Identifying Evidence
Rule 614
Calling and interrogation of witnesses by court
Types of approaches to manage cybercrime investigations
Civil cases involve disputes between two parties, which may include an individual versus a company, an individual versus another individual, or a company versus another. They relate to violation of contracts and lawsuits, where a guilty verdict generally results in monetary damages to plaintiff. Criminal Cases criminal cases involve actions that are against the norms of society. DID YOU KNOW WHAT YOU DID? IF SO, IT IS CRIMINAL. • Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction. • Investigators, under court's warrant, have the authority to seize the computing devices. • A formal investigation report is required. • The law enforcement agencies are responsible for collecting and analyzing evidence. • Punishments are harsh and include fine, jail sentence or both. • Standard of proof needs to be very high. • Difficult to capture certain evidence, e.g., GPS device evidence Ch
PC-3000
Data Extractor diagnoses and fixes file system issues, so that the client's data can be obtained.
Understanding Digital Evidence
Digital evidence includes all such information that is either stored or transmitted in digital form and has probative value. Investigators should take utmost care while gathering digital evidence as it is fragile in nature. According to Locard's Exchange Principle, "anyone or anything, entering a crime scene takes something of the scene, and leaves something of themselves behind."
Warrants
Electronic storage device warrant allows the first responder to search and seize the victim's computer components such as HW/SW, Storage devices, Documentation Service Provider search warrant allows first responders or investigators to consult the service provider and obtain the available victim's computer information and Service records, Billing records, Subscriber information
Rule 608
Evidence of character and conduct of witness
Evidence Examiner/Investigator
Examines the evidence acquired and sorts the useful evidence.
External attacks
External attacks originate from outside of an organization or can be remote in nature. Such attacks occur when there are inadequate information security policies and procedures.
Rule 609
Impeachment by evidence of a criminal conviction
Internal Attacks
Insider attacks, considered as a primary threat, refer to attacks by disgruntled individuals working in the same firm or household as the victim. Examples of internal attacks include espionage, theft of intellectual property, manipulation of records, and Trojan horse attack.
Non-volatile Data
Non-volatile data refers to the permanent data stored on secondary storage devices, such as hard disks and memory cards. Information stored in non-volatile form includes hidden files, slack space, swap file, index.dat files, unallocated clusters, unused partitions, registry settings, and event logs.
Expert Witness
Offers a formal opinion as a testimony in a court of law.
Rule 701
Opinion testimony by lay witnesses
Photographer
Photographs the crime scene and all evidence. Should have an authentic certification.
Phases Involved in the Computer Forensics Investigation Process
Pre-investigation Phase: all the tasks performed prior to the commencement of the actual investigation • setting up a computer forensics lab(CFL), toolkit, and workstation • the investigation team and getting approval from the relevant authority • planning the process, defining mission goals, and securing the case perimeter and devices involved . • Investigation Phase: Main phase of the computer forensics investigation performed by professionals • acquisition, preservation, and analysis of the data to identify the source of crime and the culprit. • implementing the technical knowledge to find evidence, examine, document, and preserve the findings. • Post-investigation Phase: Reporting and documentation of all the actions undertaken and the findings during the course of an investigation. • Ensure that the target audience can easily understand the report • ensure report provides adequate and acceptable evidence. • report should comply with all local laws and standards • it should be legally sound and acceptable in the court of law.
Scientific Working Group on Digital Evidence (SWGDE)
Principle 1 To ensure that digital evidence is collected, preserved, examined, or transferred in a manner that safeguards the accuracy and reliability of the evidence, law enforcement and forensic organizations must establish and maintain an effective system for quality control.
42 USC §2000AA
Privacy Protection Act, special steps to take during seizure that don't prevent freedom of expression
Rule 1002
Requirement of original
Incident Responder
Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident
Decision Maker
The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident.
Volatile Data
Volatile data refers to the temporary information on a digital device that requires a constant power supply and is deleted if the power supply is interrupted. Important volatile data includes system time, logged-on user(s), open files, network information, process information, process-to-port mapping, process memory, clipboard contents, service/driver information, command history, etc.
Documentation of the electronic crime scene
a continuous process during the investigation, making a permanent record of the scene. It includes photographing and sketching of the scene. Ch 2 sec 5.2.2 pg 101 • If the evidence gathered by the CFP suggests that the suspect has committed a crime, he or she will produce that evidence in court. If the evidence suggests that the suspect has breached company policy, the CFP will hand over the evidence at the corporate enquiry. • If the suspect is present at the time of the search and seizure, the incident manager or the laboratory manager may consider asking some questions. However, they must comply with the relevant human resources or legislative guidelines with regard to their jurisdiction
Criminal Cases
criminal cases involve actions that are against the norms of society. DID YOU KNOW WHAT YOU DID? IF SO, IT IS CRIMINAL. • Investigators must follow a set of standard forensic processes accepted by law in the respective jurisdiction. • Investigators, under court's warrant, have the authority to seize the computing devices. • A formal investigation report is required. • The law enforcement agencies are responsible for collecting and analyzing evidence. • Punishments are harsh and include fine, jail sentence or both. • Standard of proof needs to be very high. • Difficult to capture certain evidence, e.g., GPS device evidence
Reliable Evidence
extract and handle the evidence while maintaining a record of the tasks performed during the process to prove that the evidence is dependable. Forensic investigation is conducted only on the copies of evidence.
Data Recovery Stick
can recover deleted files.
The Sleuth Kit
cmd line tools and a C library to analyze disk images and recover files from them.
FileMerlin
converts word processing, xls, ppt and database files between a wide range of file formats.
AccessData FTK
court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis.
Evidence Documenter
gathers info and documents it from incident occurrence to the end of the investigation.
Computer Forensics
deals with the process of finding evidence related to a digital crime
RAPID IMAGE 7020 X2
designed to copy one "Master" hard drive to up to 19 "Target" hard drives
Autopsy
digital forensics platform and gui to The Sleuth Kit® and other digital forensics tools.
Evidence Manager
has all the information about the evidence:name, evidence type, time, source of evidence, etc. manages and maintains a record of the evidence such that it is admissible in the court of law.
Rule 801
hearsay
Authentic Evidence
investigators must provide supporting documents regarding the authenticity, accuracy, and integrity of the evidence with details such as source and its relevance to the case. If necessary, they must also furnish details such as author of the evidence or path of transmission.
Civil cases
involve disputes between two parties, which may include an individual versus a company, an individual versus another individual, or a company versus another. They relate to violation of contracts and lawsuits, where a guilty verdict generally results in monetary damages to plaintiff.
Ophcrack
is a free GUI driven Windows password cracker based on rainbow tables
PALADIN
is a modified "live" Linux distribution based on the PALADIN Toolbox.
L0phtCrack
is a password auditing and recovery software.
Oxygen Forensic Kit
is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field.
TEMPEST
is an unclassified short name referring to investigations and studies of compromising emanations. Compromising emanations are unintentional intelligence-bearing signals that if intercepted and analyzed will disclose classified information when it is transmitted, received, handled, or otherwise processed by any information processing equipment."
18 USC §2252A
law about child pornography
Attorney
legal advice about the investigation, and legal issues involved in the forensics investigation process.
18 USC §2252B
misleading domains on Internet
Complete Evidence
must either prove or disprove the consensual fact in the litigation
Tableau T8-R2 Forensic USB Bridge
offers secure, hw-based write blocking of USB storage devices.
Believable Evidence
present evidence in a clear manner to the jury and obtain expert opinions where necessary
ZX-Tower
provides secure sanitization of hard disk
WriteProtect-DESKTOP
provides secure, read-only write-blocking of suspect hard drives.
Cain & Abel
pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless
Fourth Amendment
states that government agents may not search or seize areas or things in which a person has a reasonable expectation of privacy, without a search warrant. Note: Private intrusions not acting in the color of governmental authority do not come under the Fourth Amendment.
FRED
systems are optimized for stationary laboratory acquisition and analysis. FRED will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives.
Nuix Corporate Investigation Suite
used to collect, process, analyze, review, and report evidence.
R-Drive Image
utility that provides creation of disk image files for backup or duplication purposes.
18 USC §2702
voluntary disclosure of contents to government and non-government entities
Forensic Investigation Team
• Attorney : legal advice about the investigation, and legal issues involved in the forensics investigation process. • Photographer : Photographs the crime scene and all evidence. Should have an authentic certification. • Incident Responder : Responsible for the measures taken when an incident occurs, securing the incident area and collecting the evidence that is present at the crime scene. He or she should disconnect the system from other systems to stop the spread of an incident • Decision Maker : The person responsible for authorization of a policy or procedure during the investigative process. Based on the incident type, makes decision about the policies and procedures to handle the incident. • Incident Analyzer : Analyzes the incidents based on their occurrence. He or she examines the incident with regard to its type, how it affects the systems, different threats and vulns associated with it [page 75] • Evidence Examiner/Investigator: Examines the evidence acquired and sorts the useful evidence. • Evidence Documenter: gathers info and documents it from incident occurrence to the end of the investigation. • Evidence Manager : has all the information about the evidence:name, evidence type, time, source of evidence, etc. manages and maintains a record of the evidence such that it is admissible in the court of law. • Expert Witness : Offers a formal opinion as a testimony in a court of law.
Forensic Software Tools
• Cain & Abel pw recovery for MS OS. Uses sniffing, dictionary, brute-force, and cryptanalysis attacks. Also record VoIP, decode scrambled passwords, recover wireless keys, reveal password boxes, uncover cached passwords and analyze routing protocols. • Recuva recover lost pictures, music, docs, video, email, or other file type from all types of media [page 67] • Capsa sniffer with support for over 300 network protocols [page 69] • R-Drive Image utility that provides creation of disk image files for backup or duplication purposes. [page 70] • FileMerlin converts word processing, xls, ppt and database files between a wide range of file formats. [page 71] • AccessData FTK court-cited digital investigations platform that provides processing and indexing up front, so filtering and searching is fast. FTK can be setup for distributed processing and incorporate web-based case management and collaborative analysis. [page 71] • Guidance Software's EnCase Rapidly acquire data from variety of devices and unearth potential evidence with disk-level forensic analysis. Produce comprehensive reports on your findings and maintain the integrity of your evidence in a format the courts have come to trust [page 72] • Nuix Corporate Investigation Suite used to collect, process, analyze, review, and report evidence. • PALADIN is a modified "live" Linux distribution based on the PALADIN Toolbox. • The Sleuth Kit cmd line tools and a C library to analyze disk images and recover files from them. • Autopsy digital forensics platform and gui to The Sleuth Kit® and other digital forensics tools. • Oxygen Forensic Kit is a ready-to-use and customizable mobile forensic solution for field and in-lab usage. Allows extraction of data from the device but also creates reports and analyzes data in the field. [page 73] • L0phtCrack is a password auditing and recovery software. • Ophcrack is a free GUI driven Windows password cracker based on rainbow tables Ch21 sec 3.4.3 pg 79 • NIST has launched the Computer Forensic Tool Testing Project (CFTT), which establishes a "methodology for testing computer forensic software tools by development of general tool specifications, test procedures, test criteria, test sets, and test hardware."
A forensic investigator performs the following tasks
• Evaluates the damages of a security breach • Identifies and recovers data required for investigation • Extracts the evidence in a forensically sound manner • Ensures proper handling of the evidence • Acts as a guide to the investigation team • Creates reports and documents about the investigation required to present in a court of law • Reconstructs the damaged storage devices and uncovers the information hidden on the computer • Updates the organization about various methods of attack and data recovery techniques, and maintains a record of them (following a variant of methods to document) regularly • Addresses the issue in a court of law and attempts to win the case by testifying in court
Forensic Hardware Tools
• FRED systems are optimized for stationary laboratory acquisition and analysis. FRED will acquire data directly from IDE/EIDE/ATA/SATA/ATAPI/SAS/Firewire/USB hard drives and storage devices and save forensic images to Blu-Ray, DVD, CD, or hard drives. • Paraben's StrongHold Faraday Bags block out wireless signals to protect evidence. [page 64] • PC-3000 Data Extractor diagnoses and fixes file system issues, so that the client's data can be obtained. • Paraben's Chat Stick is a thumb drive device that will search the entire computer and scan it for chat logs • RAPID IMAGE 7020 X2 designed to copy one "Master" hard drive to up to 19 "Target" hard drives • RoadMASSter-3 X2 is a forensic ruggedized portable lab for hdd data acquisition and analysis. • Image MASSterTM Wipe PRO is a hard Drive Sanitization Station. • PC-3000 Flash is a hardware and software suite for recovering flash- based storage • ZX-Tower provides secure sanitization of hard disk • WriteProtect-DESKTOP provides secure, read-only write-blocking of suspect hard drives. [page 65] • Data Recovery Stick can recover deleted files. • Tableau
The following are the Computer Forensics Investigation Methodology
• First Response • Search and Seizure • Collect the Evidence • Secure the Evidence • Data Acquisition • Data Analysis • Evidence Assessment • Documentation and Reporting • Testify as an Expert Witness
Best Practices
• Get authorization to conduct the investigation, from an authorized decision maker • Document all the events and decisions at the time of the incident and incident response • Depending on the scope of the incident and presence of any national security issues or life safety issues, the first priority is to protect the organization from further harm
Forensic investigators should memorize the rules listed below.
• Limit access and examination of the original evidence • Record changes made to the evidence files • Create a chain of custody document • Set standards for investigating the evidence • Comply with the standards • Hire professionals for analysis of evidence • Evidence should be strictly related to the incident • The evidence should comply with the jurisdiction standards • Document the procedures applied on the evidence • Securely store the evidence • Use recognized tools for analysis
Duplicate will also suffice as evidence under the following conditions
• Original evidence is destroyed due to fire and flood. • Original evidence is destroyed in the normal course of business. • Original evidence is in possession of a third party.
Setting up a CFL
• Planning and budgeting • Location and structural concerns. • Work area considerations (50-63 sqft per station) no windows • HR Considerations (certifications and experience) • Physical security recommendations. • Have the lab forensically licensed o ASCLD/Lab Accreditation o ISO/IEC 17025