COMPUTER FORENSICS II MIDTERM

Private-sector organizations include:

Businesses and government agencies that aren't involved in law enforcement

Redundant array of independent (formerly "inexpensive") disks (RAID)

Computer configuration involving two or more disks - Originally developed as a data-redundancy measure

approved secure container

Container used to secure evidence. • Use computer safe products when collecting computer evidence - Antistatic bags - Antistatic pads • Use well padded containers • Use evidence tape to seal all openings - CD drive bays - Insertion slots for power supply electrical cords and USB cables

Host Protected Area of Disk Drive

Copy host _____ _____ area of a disk drive as well - Consider using a hardware acquisition tool that can access the drive at the BIOS level

Mini-WinFE

Enables you to build a Windows forensic boot CD/DVD or USB drive so that connected drives are mounted as read-only Before booting a suspect's computer: - Connect your target drive, such as a USB drive • After _____-_______is booted: - You can list all connected drives and alter your target USB drive to read-write mode so you can run an acquisition program

Creating a disk-to-image file

Most common method and offers most flexibility - Can make more than one copy - Copies are bit-for-bit replications of the original drive - ProDiscover, EnCase, FTK, SMART, Sleuth Kit, X-Ways, iLookIX

Following Legal Processes

A criminal investigation usually begins when someone finds evidence of or witnesses a crime - Witness or victim makes an allegation to the police • Police interview the complainant and writes a report about the crime • Report is processed and management decides to start an investigation or log the information in a police blotter - Blotter is a historical database of previous crimes

Plain view doctrine

Objects falling in plain view of an officer who has the right to be in position to have that view are subject to seizure without a warrant and may be introduced in evidence - Three criteria must be met: • Officer is where he or she has a legal right to be • Ordinary senses must not be enhanced by advanced technology in any way • Any discovery must be by chance The plain view doctrine's applicability in the digital forensics world is being rejected

When attorneys challenge digital evidence

Often they raise the issue of whether computer-generated records were altered or damaged

EnCase Certified Examiner (EnCE) Certification

Open to the public and private sectors - Is specific to use and mastery of EnCase forensics analysis - Candidates are required to have a licensed copy of EnCase

Business case

Plan you can use to sell your services to management or clients • Demonstrate how the lab will help your organization to save money and increase profits - Compare cost of an investigation with cost of a lawsuit - Protect intellectual property, trade secrets, and future business plans

ISC² Certified Cyber Forensics Professional (CCFP)

Requires knowledge of • Digital forensics • Malware analysis • Incident response • E-discovery • Other disciplines related to cyber investigations

When you're assigned a digital investigation case

Start by identifying the nature of the case • Including whether it involves the private or public sector

Creating a disk-to-disk

When disk-to-image copy is not possible - Tools can adjust disk's geometry configuration - EnCase, SafeBack, SnapCopy

Windows Validation Methods

_________ has no built-in hashing algorithm tools for computer forensics - Third-party utilities can be used • Commercial computer forensics programs also have built-in validation features - Each program has its own validation technique • Raw format image files don't contain metadata - Separate manual validation is recommended for all raw acquisitions

Validating Data Acquisitions

___________ evidence may be the most critical aspect of computer forensics • Requires using a hashing algorithm utility • ________ techniques - CRC-32, MD5, and SHA-1 to SHA-512

Computer stored records

must be shown to be authentic and trustworthy to be admitted into evidence

The Federal Rules of Evidence (FRE)

was created to ensure consistency in federal proceedings

Acquiring Data with a Linux Boot CD

• _______can access a drive that isn't mounted • Windows OSs and newer ________ automatically mount and access a drive • Forensic ______ Live CDs don't access media automatically - Which eliminates the need for a write-blocker • Using _____ Live CD Distributions - Forensic _______Live CDs • Contain additional utilities

Performing RAID Data Acquisitions

Acquisition of ______drives can be challenging and frustrating because of how ______systems are - Designed - Configured - Sized • Size is the biggest concern - Many ______systems now have terabytes of data

Industrial Espionage Investigations

All suspected industrial _____cases should be treated as criminal investigations

One test to prove that computer-stored records are authentic is to demonstrate that a specific person created the records

The author of a Microsoft Word document can be identified by using file metadata

Private-sector investigations

focus more on policy violations

American Society of Crime Laboratory Directors (ASCLD)

offers guidelines for: - Managing a lab - Acquiring an official certification - Auditing lab functions and procedures

Scientific Working Group on Digital Evidence (SWGDE)

set standards for recovering, preserving, and examining digital evidence

Acquisition tools for Windows

- Advantages • Make acquiring evidence from a suspect drive more convenient Especially when used with hot-swappable devices - Disadvantages • Must protect acquired data with a well-tested write-blocking hardware device • Tools can't acquire data from a disk's host protected area • Some countries haven't accepted the use of write-blocking devices for data acquisitions

Digital Evidence First Responder (DEFR)

- Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence

Digital evidence

- Can be any information stored or transmitted in digital form • U.S. courts accept digital evidence as physical evidence - Digital data is treated as a tangible

High-Tech Crime Network (HTCN)

- Certified Computer Crime Investigator, Basic and Advanced Level - Certified Computer Forensic Technician, Basic and Advanced Level

Investigating digital devices includes:

- Collecting data securely - Examining suspect data to determine details such as origin and content - Presenting digital information to courts - Applying laws to digital device practices

Computer records are usually divided into:

- Computer-generated records - Computer-stored records

Steps for problem solving

- Make an initial assessment about the type of case you are investigating - Determine a preliminary design or approach to the case - Create a detailed checklist - Determine the resources you need - Obtain and copy an evidence drive - Identify the risks - Mitigate or minimize the risks - Test the design - Analyze and recover the digital evidence - Investigate the data you recover - Complete the case report - Critique the case

Preparing for a Search

- Probably the most important step in computing investigations • To perform these tasks - You might need to get answers from the victim and an informant • Who could be a police detective assigned to the case, a law enforcement witness, or a manager or coworker of the person of interest to the investigation

Digital Investigations fall into two categories:

- Public-sector investigations - Private-sector investigations

Data in a forensics acquisition tool is stored as an image file There are three formats:

- Raw format - Proprietary formats - Advanced Forensics Format (AFF)

When making a copy, consider:

- Size of the source disk • Lossless compression might be useful • Use digital signatures for verification - When working with large drives, an alternative is using tape backup systems - Whether you can retain the disk

When conducting public-sector investigations, you must understand laws on computer-related crimes including:

- Standard legal processes - Guidelines on search and seizure - How to build a criminal case

Types of acquisitions

- Static acquisitions and live acquisitions

Innocent information

- Unrelated information - Often included with the evidence you're trying to recover

Digital forensics lab

- Where you conduct your investigation - Store evidence - House your equipment, hardware, and software

data recovery

- Which involves retrieving information that was deleted by mistake or lost during a power surge or server crash

Four methods of data collection

-Creating a disk-to-image file - Creating a disk-to-disk - Creating a logical disk-to-disk or disk-to-data file - Creating a sparse data copy of a file or folder Determining the best method depends on the circumstances of the investigation

Acquiring RAID Disks

Address the following concerns - How much data storage is needed? - What type of ______ is used? - Do you have the right acquisition tool? - Can the tool read a forensically copied _____ image? - Can the tool read split data saves of each _____ disk? • Copying small _______ systems to one large disk is possible

Federal Rules of Evidence

Allow a duplicate instead of originals when it is produced by the same impression as the original

Whole disk encryption

Be prepared to deal with ________ drives - Whole disk _______feature in Windows called BitLocker makes static acquisitions more difficult - May require user to provide decryption key

authorized requester

Businesses are advised to specify an _____ _____who has the power to initiate investigations • Examples of groups with authority - Corporate security investigations - Corporate ethics office - Corporate equal employment opportunity office - Internal auditing - The general counsel or legal department

A Brief History of Digital Forensics

By the early 1990s, the International Association of Computer Investigative Specialists (IACIS) introduced training on software for digital forensics • IRS created search-warrant programs • ASR Data created Expert Witness for Macintosh • ILook is currently maintained by the IRS Criminal Investigation Division • AccessData Forensic Toolkit (FTK) is a popular commercial product

Validation techniques

CRC-32, MD5, and SHA-1 to SHA-512

Logical acquisition or sparse acquisition

Can take several hours; use when your time is limited - Logical acquisition captures only specific files of interest to the case - Sparse acquisition collects fragments of unallocated (deleted) data - For large disks - PST or OST mail files, RAID servers

Certified Forensic Computer Examiner (CFCE)

Candidates who complete the IACIS test are designated as a _________ Update your skills through appropriate training - Thoroughly research the requirements, cost, and acceptability in your area of employment • International Association of Computer Investigative Specialists (IACIS) - Created by police officers who wanted to formalize credentials in computing investigations

Advanced Forensics Format

Developed by Dr. Simson L. Garfinkel as an open-source acquisition format • Design goals - Provide compressed or uncompressed image files - No size restriction for disk-to-image files - Provide space in the image file or segmented files for metadata - Simple design with extensibility - Open source for multiple platforms and OSs Design goals (cont'd) - Internal consistency checks for self-authentication • File extensions include .afd for segmented image files and .afm for AFF metadata • AFF is open source

Understanding Case Law

Existing laws can't keep up with the rate of technological change • When statutes don't exist, _________ is used - Allows legal counsel to apply previous similar cases to current one in an effort to address ambiguity in laws • Examiners must be familiar with recent court rulings on search and seizure in the electronic environment

Digital Evidence Specialist (DES)

Has the skill to analyze the data and determine when another specialist should be called in to assist

A special category of private-sector businesses includes _________ and other communication companies

ISPs can investigate computer abuse committed by their employees, but not by customers - Except for activities that are deemed to create an emergency situation • Investigating and controlling computer incident scenes in the corporate environment - Much easier than in the criminal environment - Incident scene is often a workplace

Risk management

Involves determining how much risk is acceptable for any process or operation - Identify equipment your lab depends on so it can be periodically replaced - Identify equipment you can replace when it fails

Public-sector investigations

Involves government agencies responsible for criminal investigations and prosecution • Fourth Amendment to the U.S. Constitution - Restrict government search and seizure • The Department of Justice (DOJ) updates information on computer search and seizure regularly

limiting phrase

Judges often issue a _____ phrase to the warrant - Allows the police to separate innocent information from evidence

Proprietary Formats

Most forensics tools have their own formats • Features offered - Option to compress or not compress image files - Can split an image into smaller segmented files - Can integrate metadata into the image file • Disadvantages - Inability to share an image between different tools - File size limitation for each segmented volume • The Expert Witness format is unofficial standard

Preparing for a computer search and seizure

Probably the most important step in computing investigations • To perform these tasks - You might need to get answers from the victim and an informant • Who could be a police detective assigned to the case, a law enforcement witness, or a manager or coworker of the person of interest to the investigation

Digital forensics

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation. - In October 2012, an ISO standard for digital forensics was ratified - ISO 27037 Information technology - Security techniques

As long as bit-stream copies of data are created and maintained properly

The copies can be admitted in court, although they aren't considered best evidence

Best evidence rule states:

To prove the content of a written document, recording, or photograph, ordinarily the original writing, recording, or photograph is required

Developing Digital Forensics Resources

To supplement your Resouces/knowledge: - Develop and maintain contact with computing, network, and investigative professionals - Join computer user groups in both the pubic and private sectors • Example: Computer Technology Investigators Network (CTIN) meets to discuss problems with digital forensics examiners encounter - Consult outside experts

Understanding Private-Sector Investigations

_________ sector investigations involve private companies and lawyers who address company policy violations and litigation disputes - Example: wrongful termination • Businesses strive to minimize or eliminate litigation • Private-sector crimes can involve: - E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage Businesses can reduce the risk of litigation by publishing and maintaining policies that employees find easy to read and follow • Most important policies define rules for using the company's computers and networks - Known as an "Acceptable use policy"

Affidavit

a sworn statement of support of facts about or evidence of a crime - Must include exhibits that support the allegation

Computer-generated records

are considered authentic if the program that created the output is functioning correctly - Usually considered an exception to hearsay rule

The Fourth Amendment

protects everyone's right to be secure from search and seizure - Separate search warrants might not be necessary for digital evidence • Every U.S. jurisdiction has case law related to the admissibility of evidence recovered from computers and other digital devices

Non-government organizations (NGO) must comply with

state public disclosure and federal Freedom of Information Act (FOIA) laws - And make certain documents available as public records FOIA allows citizens to request copies of public documents created by federal agencies

Line of authority

states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence

FBI Computer Analysis and Response Team (CART)

was formed in 1984 to handle cases involving digital evidence

Raw Format

• Makes it possible to write bit-stream data to files • Advantages - Fast data transfers - Ignores minor data read errors on source drive - Most computer forensics tools can read ______format • Disadvantages - Requires as much storage as original disk or data - Tools might not collect marginal (bad) sectors