Module 1 - Understanding the Digital Forensics Profession and Investigations
A basic investigation plan should include the following activities:
- Acquire the evidence - Complete an evidence form and establish a chain of custody - Transport the evidence to a computer forensics lab - Secure evidence in an approved secure container
Steps for problem solving (cont'd)
- Identify the risks - Mitigate or minimize the risks - Test the design - Analyze and recover the digital evidence - Investigate the data you recover - Complete the case report - Critique the case
Systematic Approach (Steps for problem solving)
- Make an initial assessment about the type of case you are investigating - Determine a preliminary design or approach to the case - Create a detailed checklist - Determine the resources you need - Obtain and copy an evidence drive
Digital investigations fall into two categories
- Public-sector investigations - Private-sector investigations
Assessing the Case (Systematically outline the case details)
- Situation - Nature of the case - Specifics of the case - Type of evidence - Known disk format - Location of evidence
Private-sector investigations
-Involve private companies and lawyers who address company policy violations and litigation disputes - Businesses strive to minimize or eliminate litigation
Investigating digital devices
Collecting data securely Examining suspect data to determine details such as origin and content Presenting digital information to courts Applying laws to digital device practices
Network intrusion detection and incident response
Detects intruder attacks by using automated tools and monitoring network firewall logs
Private-sector crimes
E-mail harassment, falsification of data, gender and age discrimination, embezzlement, sabotage, and industrial espionage
Business can avoid litigation by displaying a warning banner on computer screens
Informs end users that the organization reserves the right to inspect computer systems and network traffic at will
Public-sector investigations
Involve government agencies responsible for criminal investigations and prosecution; focus more on policy violations
Digital investigations
Manages investigations and conducts forensics analysis of systems suspected of containing evidence
A basic investigation plan (cont'd)
Prepare your forensics workstation - Retrieve the evidence from the secure container - Make a forensic copy of the evidence - Return the evidence to the secure container - Process the copied evidence with computer forensics tools
Chain of custody
Route the evidence takes from the time you find it until the case is closed or goes to court
Vulnerability/threat assessment and risk management
Tests and verifies the integrity of stand-along workstations and network servers
Digital forensics
The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.
Two types of custody form
Two types - Single-evidence form • Lists each piece of evidence on a separate page - Multi-evidence form
Securing Your Evidence
Use evidence bags to secure and catalog the evidence • Use computer safe products when collecting computer evidence - Antistatic bags - Antistatic pads • Use well padded containers • Use evidence tape to seal all openings - CD drive bays - Insertion slots for power supply electrical cords and USB cables
Digital Forensics
Vulnerability/threat assessment and risk management Network intrusion detection and incident response Digital investigations
FBI Computer Analysis and Response Team (CART)
formed in 1984 to handle cases involving digital evidence; By late 1990s, CART teamed up with Department of Defense Computer Forensics Laboratory (DCFL)
An evidence custody form
helps you document what has been done with the original evidence and its forensics copies; Also called a chain-of-evidence form
Fourth Amendment to the U.S. Constitution
protects everyone's right to be secure from search and seizure.
Line of authority
states who has the legal right to initiate an investigation, who can take possession of evidence, and who can have access to evidence
Federal Rules of Evidence (FRE)
was created to ensure consistency in federal proceedings - Signed into law in 1973 - Many states' rules map to the FRE
