Computer Forensics and Security

Ace your homework & exams now with Quizwiz!

The role of a digital forensics professional

to gather evidence to prove that a suspect committed a crime or violated a company policy

Best evidence rule

to prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required, however, due to the FRE, they will allow a duplicate instead of originals when it is produced by the same impression as the original

Created to ensure consistency in federal proceedings

Federal Rules of Evidence (FRE) -Signed in law in 1973 -many states' rules map to the FRE

Most federal courts have interpreted computer record as what kind of evidence?

Hearsay

General tasks investigators perform when working with digital evidence:

-Identify digital information or artifacts that can be used as evidence -collect, preserve, and document evidence -analyze, identify, and organize evidence -rebuild evidence or repeat a situation to verify that the results can be reproduced reliably

Comoputer records are usually divided into:

-Computer-generated records-Data the system maintains (example: system logs, proxy server logs, etc.) -Computer-stored records-Records a person saves and stores on the computer (example: word document, spreadsheet, picture, etc.)

Businesses are advised to specify an authorized requester who has the power to initiate investigations such as:

-Corporate security investigations -Corporate ethic office -Corporate ethics office -Corporate equal employment opportunity office -Internal auditing -The general counsel or legal department

What are the complications of RAID Disks

-How much data storage is needed -what type of RAID is used -do you have the right acquisition tool -can the tool read a forensically copied RAID image -can the tool read split data saves of each RAID disk -copying small RAID systems to one large disk is possible

To conduct an investigation for internet abuse you need:

-Organization's Internet proxy server logs -Suspect computer's IP address -Suspect computer's disk drive -Your preferred computer forensics analysis tool

Chain of Custody

-Route the evidence takes from the time you find it until the case is closed or goes to court.

A basic investigation plan should include:

-Secure evidence in an approved secure container -Complete an evidence form and establish a chain of custody -Transport the evidence to a computer forensics lab

Basic investigation should include:

-acquire the evidence -complete an evidence and establish a chain of custody -transport the evidence to a computer forensics lab -secure evidence in an approved secure container -prepare your forensics workstation -retrieve the evidence from the secure container -make a forensic copy of the evidence -return the evidence to the secure container

To conduct an E-mail abuse investigation you need:

-an electronic copy of the offending e-mail that contains messages header data -if available, e-mail server log records -for e-mail systems that store users' messages on a central server, access to the servers -access to the computer so that you can perform a forensic analysis on it -your preferred computer forensics analysis tool

Logical acquisition or sparse acquisition

-can take several hours, use when your time is limited -logical acquisition captures only specific files of interest to the case -sparse acquisition collects fragments of un-allocated (deleted) data -for large disks

Magnetic tapes as a storing device

-capacity 40-75 GB -lifespan 30 years -costs: drive $400-$800, tape $40

Investigating digital devices includes;

-collecting data securely -examining suspect data to determine details such as origin and content -presenting digital information to courts -applying laws to digital device practices

Contingency planning for image acquisitions

-create a duplicate copy of your evidence image file -make at least two images of digital evidence and use different tools or techniques -copy host protected area of a disk drive as well, consider using a hardware acquisition tool that can access the drive at the BIOS level -be prepared to deal with encrypted drives

four methods of data collection

-creating a disk to image file -creating a disk to disk -creating a logical disk to disk or disk to datce file -creating a sparse data copy of a file or folder

RAID 1

-designed for data recovery -more expensive than RAID 0

To supplement you knowledge about digital forensics, you should:

-develop contacts with computer, network, and investigative professionals -join computer user groups in the public and private sectors, ex. Computer Technology Investigators Network (CTIN) -consult with outside experts

Advanced Forensics Format

-developed by Dr. Simson L. Garfinkel as an open source acquisition format -Design goals -provide compressed or uncompressed image files -no size restriction for disk-to-image files -provide space in the image file or segmented files for metadata -simple design with extensibility -open source for multiple platforms and OSs -Internal consistency checks for self-authentication

Systematic approach

-make an initial assessment about the type of case you are investigating -Determine a preliminary design or approach to the case -create a detailed checklist -determine the resources you need -obtain and copy an evidence drive -identify the risks -mitigate of minimize the risks -test the design -analyze and recover the digital evidence -investigate the data you recover -complete the case report -critique the case

Raw format

-makes it possible to write bit-stream (bit by bit) to files -Advantages -fast data transfers -ignores minor data read errors on source drive -most computer forensics tools can ready raw format. -Disadvantages -Requires as much storage as original disk or data -tolls might not collect marginal sectors -does not have metadata

gathering evidence

-meet with the IT manager to interview him -fill out the evidence form, have the IT manager sign -place the evidence in a secure container -carry the evidence to the computer forensics lab -complete the evidence custody form -secure evidence by locking the container

disk to image file

-most common method and offers most flexibility -can make more than one copy -copies are bit by bit replications of the original drive

Proprietary formats

-most forensics tools have thier own formats -Advantages -option to compress or not compress image files -can split an image into smaller segmented files -can integrate metadata into the image file(i.e. date/time of acquisition, has values of original disk, investigator, etc.) -Disadvantages -Inability to share an image between different tools (or vendors) -file size limitations for each segmented volume -The Expert Witness format is currently the unofficial standard

Resources for conducting an investigation

-original storage media -evidence custody form -evidence container for the storage media -bit stream imaging tool -forensic workstation to copy and examine your evidence -secure the evidence by locking the container

RAID 0

-provides rapid access and increased storage -biggest disadvantage is lack of redundancy

Documenting evidence in the lab

-record your activities and findings as you work; maintain a journal to record the steps you take as you process evidence -your goal is to be able to reproduce the same result; when you or another investigator repeat the steps you took to collect evidence. -a journal serves as a reference that documents the methods you used to process digital evidence.

How do you maintain the chain of custody?

-restrict access to lab and evidence -lab should have a sign in roster for all visitors; maintain logs for a period based on legal requirements

Assessing the case: how can you determine the case requirements?

-situation -nature of the case -specifics of the case -type of evidence -known disk format -location of evidence

How to determine the best acquisition method, consider:

-size of the source disk _lossless compression might be useful _use digital signatures for verification -when working with large drivers, an alternative is using tape backup systems -consider whether you can retain the disk

When conducting public-sector investigations, you must understand laws on computer-related crimes including:

-standard legal processes -guidelines on search and seizure -how to build a criminal case

Misuses of company internet

-surfing the internet -sending personal e-mail -using company computers for personal tasks

CD's as a storing device

-the ideal media -capacity up to 17GB -lifespan 2-5 years

Recommended steps for internet abuse investigations:

-use standard forensic analysis techniques and procedures -use appropriate tools to extract all Web page URL information -contact the network firewall administrator and request a proxy server log -compare the data recovered from forensic analysis to the proxy server log -continue analyzing the computer's disk drive data

disk to disk file

-when disk to image copy is not possible -tools can adjust disk's geometry configuration

Remote Network Acquisition Tools

-you can remotely connect to a suspect computer via a network connection and copy data from it -remote acquisition tools vary in configurations and capabilities -Drawbacks -antivirus, anti spyware, and firewall tools can be configured to ignore remote access programs -suspects could easily install their own security tools that trigger an alarm to notify them of remote access intrusions.

Blotter

A historical database of previous crimes

A sworn statement of support of fact about or evidence of a crime

Affidavit -must include exhibits that support the allegation

Digital Evidence First REsponder (DEFR)

Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence

AFIS

Automated Fingerprint Identification System a computerized system for identifying fingerprints that's connected to a central database. Used to identify criminal suspects and review thousands of fingerprint samples at high speed

BYOD

Bring Your Own Device -some companies state that if you connect a personal device to the business network, it falls under the same rules as company property

When laws cannot keep up with the rate of technological changes and a statute does not exist, what is used?

Case law

was formed in 1984 to handle cases involving digital evidence

Computer Analysis and Response Team (CART) -teamed up with Department of Defense Computer Forensics Laboratory (DCFL)

CRC

Cyclic Redundancy Check -mathematical algorithm that determines whether a file's contents have changed -NOT considered a forensic hashing algorithm

Data recovery vs. Digital forensics

Data recovery is retrieving information that was deleted by mistake or lost Digital forensics looks at everything on a device, deleted and otherwise.

Has the Skill to analyze the data and determine when another specialist should be called in to assist

Digital Evidence Specialist (DES)

Private-sector crimes can include

E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage

FOAI

Freedom of Information Act requires non-government organization (NGO) to comply and make certain documents available as public records. It allows citizens to request copies of public documents created by federal agencies

Processing a crime scene

Guidelines -keep a journal to document your activities -secure the scene be professional and courteous with onlookers; remove people who are not part of the investigation -take video and still recordings of the area around the computer; pay attention to details -sketch the incident or crime scene -check the state of the computers as soon as possible -don't cut electrical power to a running system -save data from current applications as safely as possible -record all active windows or shell sessions -make notes of everything you do when copying data from a live suspect computer -close applications and shut down computer -bag and tag the evidence -look for information related to the investigation; passwords, passphrases, PINs, bank accounts -collect documentation and media related to the investigation; hardware, software, backup media, documentation manuals.

MD5

Message Digest 5 -mathematical formula that translates a file into a hexadecimal code value, or a hash value; if a bit or byte in the file changes, it alters the hash value, which can be used to verify a file or drive has not been tampered with

Plain view doctrine

Objects falling in plain view of an officer who has the right to be in position to have that view are subject to seizure without a warrant and may be introduced in evidence. Three criteria mus be met: -Officer is where he or she has a legal right to be -ordinary senses must not be enhanced by advanced technology in any way -any discovery must be by chance.

When was the ISO Standard for digital forensics ratified?

October 2012

Two categories of investigations

Public-sector-government Private-sector-companies

RAID

Redundant Array of Independent Disks drives can be challenging and frustrating because of how RAID systems are designed, configured, and sized.

SWGDE

Scientific Working Group on Digital Evidence is a group that sets standards for recovering, preserving, and examining digital evidence.

SHA-1

Secure Hash Algorithm version 1 -a newer hashing algorithm -developed by the National Institute of standards and Technology (NISI)

Two types of acquisitions

Static and live

"Bag and Tag"

Steps -assign one person to collect and log all evidence -tag all evidence you collect with the current date and time, serial numbers or unique features, make and model and the name of the person who collected it -maintain two separate logs of collected evidence -maintain constant control of the collected evidence and the crime or incident scene

Super DLT (SDLT)

Super Digital Linear Tape -specifically designed for large RAID data backups -can store more than 1 TB of data

What is digital forensics?

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, change of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

A display on a computer screen that states the organization reserves the right to inspect computer systems and network traffic

Warning banner

Evidence custody form

also called a chain-of-evidence form a document that tells you what has been done with the original evidence and its forensics copies -single-evidence and multi-evidence form

Digital Evidence

any information stored or transmitted in digital form. U.S. courts accept digital evidence as physical evidence and digital data is treated as tangible objects

Preparing the investigation team

before initiating the search: -review facts, plans and objectives with the investigation team you have assembled Goal of scene processing -to collect and secure digital evidence Digital evidence is volatile, develop skills to access facts quickly

How can the creator of a word document be identified?

by looking at the metadata

Validating acquired data

md5sum, sha1sum,

three formats for forensic acquisition

raw, proprietary, and advanced forensics format (AFF)

Hearsay

secondhand or indirect evidence, therefore it needs eye witness testimony or corroborating evidence (it can't stand on it's own) -except when business-record

Line of Authority

states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

Innocent information

unrelated information to the crime that is often included with the evidence you're trying to recover; a limiting phrase in the warrant allows the police to separate innocent information from evidence.

Department of Justice (DOJ)

updates information on computer search and seizure regularly

Consistent practice helps with

verifying your work and enhances your credibility


Related study sets

Blood flow through the heart in order

View Set

AP Psychology: Memory, Cognition, and Intelligence

View Set

Chpt 1 quiz intro to media writing

View Set

Unit 6 Chapter 57 Ophthalmic drugs

View Set

General Features of Cells and their Organelles

View Set

Lifespan Midterm Review Questions

View Set

Chapter 9 Teaching and Counseling

View Set