Digital Forensics
What do police need in order to search someone's property?
A search warrant
Affidavit
A sworn statement of support of facts about or evidence of a crime. Must include exhibits that support the allegation
A basic investigation plan should include the following activities:
Acquire the evidence Complete an evidence form and establish a chain of custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container Prepare your forensics workstation Retrieve the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics tools
What businesses advised to specify to?:
An authorized requester which is a person who has the power to initiate investigations
Policies can address rules for which of the following? When you can log on to a company network from home The Internet sites you can or can't access The amount of personal e-mail you can send Or any of the any above
Any of the above is the answer.
Digital Evidence First Responder (DEFR)
Arrives on an incident scene, assesses the situation, and takes precautions to acquire and preserve evidence
What is professional conduct, and why is it important?
Behavior that is required out of an employee in the workplace or other professional settings is important since it determines how credible you are.
Is it possible to figure out someone's password without them telling you? If the answer is yes, what are some things that make it harder to do so?
Brute Force Rainbow Tables Dictionary attacks
List three items that should be on an evidence custody form.
Case number, investigating organization, and investigator.
What do you call a list of people who have had physical possession of the evidence?
Chain of Custody
Computers can contain information that helps law enforcement determine:
Chain of events leading to a crime Evidence that can lead to a conviction
Investigating digital devices includes:
Collecting data securely Examining suspect data to determine details such as origin and content Presenting digital information to courts Applying laws to digital device practices
Examples of groups with authority
Corporate security investigations Corporate ethics office Corporate equal employment opportunity office Internal auditing The general counsel or legal department
Network intrusion detection and incident response
Detects intruder attacks by using automated tools and monitoring network firewall logs
Guidelines when initiating an investigation
Determine whether this investigation involves a possible industrial espionage incident Consult with corporate attorneys and upper management Determine what information is needed to substantiate the allegation Generate a list of keywords for disk forensics and sniffer monitoring List and collect resources for the investigation Determine goal and scope of the investigation Initiate investigation after approval from management
Business can avoid litigation by:
Displaying a warning banner on computer screens which informs end users that the organization reserves the right to inspect computer systems and network traffic at will
Private-sector crimes can involve:
E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage
List two types of digital investigations typically conducted in a business environment.
Email and internet abuse.
List two items that should appear on a warning banner.
Entry into a system and network is not allowed and use of this system and network is only for official businesses.
Why should evidence media be write-protected?
Evidence media should be write-protected because that way data can not be altered.
Planning considerations
Examine all e-mail of suspected employees Search Internet newsgroups or message boards Initiate physical surveillance Examine facility physical access logs for sensitive areas Determine suspect location in relation to the vulnerable asset Study the suspect's work habits Collect all incoming and outgoing phone logs
Digital forensics and data recovery refer to the same activities. True or False?
False
Under normal circumstances, a private-sector investigator is considered an agent of law enforcement. True or False?
False
You should always prove the allegations made by the person who hired you. True or False?
False
Private-sector investigations, what it involves, and its ultimate goals
Focus more on policy violations Private-sector investigations involve private companies and lawyers who address company policy violations and litigation disputes Job is to minimize risk to the company
Police in the United States must use procedures that adhere to which of the following?
Fourth Amendment
Steps to conducting an industrial espionage case
Gather all personnel assigned to the investigation and brief them on the plan Gather resources to conduct the investigation Place surveillance systems at key locations Discreetly gather any additional evidence Collect all log data from networks and e-mail servers Report regularly to management and corporate attorneys Review the investigation's scope with management and corporate attorneys
Digital Evidence Specialist (DES)
Has the skill to analyze the data and determine when another specialist should be called in to assist
Evidence custody form
Helps you document what has been done with the original evidence and its forensics copies
Ask yourself the following questions:
How could you improve your performance in the case? Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? If so, what are they? Did you use new techniques during the case or during research?
What are some ways to determine the resources needed for an investigation?
In order to determine the resources needed for an investigation one must determine the OS of the suspected computer. Also, one must list the software which would be used for an examination.
Professional conduct
Includes ethics, morals, and standards of behavior
Public-sector investigations
Involve government agencies responsible for criminal investigations and prosecution
The role of a digital forensics professional is?
Is to gather evidence to prove that a suspect committed a crime or violated a company policy Collect evidence that can be offered in court or at a corporate inquiry Investigate the suspect's computer Preserve the evidence on a different computer
How is data recovery is different from digital forensics ?
It involves retrieving information that was deleted by mistake or lost during a power surge or server crash
What is a container?
It is a digital device contains evidence of criminal activity.
What is a tool?
It is a digital device is used to commit a crime.
What is a target?
It is a digital device which is the target of the crime?
What's the purpose of an affidavit?
It is mainly used in order to justify issuing a warrant or dealing with abuse in a corporation.
What's the purpose of maintaining a network of digital forensics specialists?
It's good to have the option of a specialist readily available for you to call in order to help with a case you either can not solve or need help with.
Multi-evidence form
Lists all items associated with a case
Single-evidence form
Lists each piece of evidence on a separate page
Steps for problem solving
Make an initial assessment about the type of case you are investigating Determine a preliminary design or approach to the case Create a detailed checklist Determine the resources you need Obtain and copy an evidence drive Identify the risks Mitigate or minimize the risks Test the design Analyze and recover the digital evidence Investigate the data you recover Complete the case report Critique the case
Digital investigations
Manages investigations and conducts forensics analysis of systems suspected of containing evidence
If the police think your computer has been used in a crime, can they search it without a warrant?
No
What is the difference between stenography and cryptography?
One deals with hiding the existence of the data and it has protection that no one knows exists. The other one deals with protecting data itself and everyone can see it but no one can read it.
Fourth Amendment
Protects everyone's right to be secure from search and seizure. Separate search warrants might not be necessary for digital evidence
What are the two distinct categories of investigations?
Public investigations Private or corporate investigations
Digital investigations fall into two categories:
Public-sector investigations Private-sector investigations
Steps for conducting an ACP case
Request a memorandum from the attorney directing you to start the investigation Request a list of keywords of interest to the investigation Initiate the investigation and analysis For disk drive examinations, make two bit-stream images using different tools for each image Compare hash signatures on all files on the original and re-created disks Methodically examine every portion of the disk drive and extract all data Run keyword searches on allocated and unallocated disk space For Windows OSs, use specialty tools to analyze and extract data from the Registry For binary data files such as CAD drawings, locate the correct software product For unallocated data recovery, use a tool that removes or replaces nonprintable data Consolidate all recovered data from the evidence bit-stream image into folders and subfolders
Chain of custody
Route the evidence takes from the time you find it until the case is closed or goes to court
Attorney-client privilege (ACP)
Rules for an attorney
Systematically outline the case details
Situation Nature of the case Specifics of the case Type of evidence Known disk format Location of evidence
Line of authority
States who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
Vulnerability/threat assessment and risk management
Tests and verifies the integrity of stand-along workstations and network servers
Digital Forensics
The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.
What is cryptography?
The art of writing or solving codes. (i.e. encryption).
What must an investigator be able to do?
The person must be able to exhibit the highest level of professional behavior at all times Maintain objectivity Maintain credibility by maintaining confidentiality Should also attend training to stay current with the latest technical changes in computer hardware and software, networking, and forensic tools
What is stenography?
The practice of concealing messages or information within other nonsecret text or data.
List three items that should be in your case report.
There needs to be an explanation of standard computer and network techniques used, an account of the steps you took, and a description of your findings.
Why should you critique your case after it's finished?
To decide what changes you made during each case for the better, what could have been changed, and how to apply what you learnt into future cases.
Data collected before an attorney issues a memo for an attorney-client privilege case is protected under the confidential work product rule. True or False?
True
For digital evidence, an evidence bag is typically made of antistatic material. True or False?
True
Sample text that can be used in internal warning banners:
Use of this system and network is for official business only Systems and networks are subject to monitoring at any time by the owner Using this system implies consent to monitoring by the owner Unauthorized or illegal users of this system or network will be subject to discipline or prosecution
The triad of computing security includes which of the following?
Vulnerability/threat assessment and risk management, network intrusion detection and incident response, and digital investigation.
Federal Rules of Evidence (FRE)
Was created to ensure consistency in federal proceedings Signed into law in 1973 Many states' rules map to this law
FBI Computer Analysis and Response Team (CART)
Was formed in 1984 to handle cases involving digital evidence.
If you work in a business and they think your work computer has been used to embezzle from the company can they search it without a warrant?
Yes
What are the necessary components of a search warrant?
You need an affidavit that shows the evidence needed to conduct an investigation.
Why should you do a standard risk assessment to prepare for an investigation?
You should do a standard risk assessment so you can know the risks which could stop an investigation.
Six Ws:
who, what, when, where, why, how