SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 3 Computer Investigation Process Mohd Taufik...
-
Upload
sibyl-charles -
Category
Documents
-
view
225 -
download
1
Transcript of SAK 4801 INTRODUCTION TO COMPUTER FORENSICS Chapter 3 Computer Investigation Process Mohd Taufik...
SAK 4801 INTRODUCTION TO COMPUTER FORENSICSChapter 3 Computer Investigation Process
Mohd Taufik AbdullahDepartment of Computer Science
Faculty of Computer Science and Information TechnologyUniversity Putra of Malaysia
Portions of the material courtesy Professor EC-Council
2 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
Learning Objectives• Explain how to prepare a computer
investigation• Apply a systematic approach to an
investigation• Describe procedures for corporate
high-tech investigations• Explain requirements for data
recovery workstations and software• Describe how to conduct an
investigation• Explain how to complete and critique
a case
3 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
Chapter 3 Outline
3. Computer Investigation Process 3.1. Introduction 3.2. Investigating Computer Crime 3.3. Investigating Company Policy Violations
3.4. Conducting a Computer Forensic Investigation
5 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.1 Introduction Computer forensics differs from other forensic science Electronic evidence is collected and examined
Although fingerprints or other evidence may also be obtained from the devices collected at a crime scene, a computer forensic technician will use specialized methods, techniques, and tools to acquire data stored on digital storage media.
6 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.1 Introduction (Cont.) Once the data is acquired from a device, the computer forensic technician will then examine it to identify which files, folders, or information may be useful as evidence, and can provide facts about the case.
Although computer forensics is commonly used in criminal cases, it may also be used in civil disputes or corporate investigations, such as
7 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.1 Introduction (Cont.) When internal policies have been violated , for example When an employee is suspected of using computing to perform some action that violates policies, the files, e-mail, and other data on the computer may be inspected.
Because there is the possibility that the violations could lead to criminal charges or civil actions against the employee, it is important that forensic procedures are followed.
8 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.1 Introduction (Cont.) Collecting such evidence requires following established procedures, and can take considerable amounts of time to ensure it is collected correctly. Because it may reveal the identity of a culprit and be used to establish the guilt or innocence of people, it is vital that the data aren’t modified as they are acquired, or altered afterwards when the data are examined.
Any actions and documented in case this information is required in court.
9 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.1 Introduction (Cont.) Files stored on computers are often used in place of other record systems, and may contain a significant amount of information that can be employed to convict a suspect or prove their innocence.
For example, in homicide investigation, A suspect may have written about their plains in a diary on the computer, or a blog on the Internet.
10 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.1 Introduction (Cont.) Investigating computer crime
Determine if there has been an incident
Find and interpret the clues left behind
Do preliminary assessment to search for the evidence
Search and seize the computer equipments
12 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts Plan your investigation A basic investigation plan should include the
following activities: Acquire the evidence Complete an evidence form and establish a chain of
custody Transport the evidence to a computer forensics lab Secure evidence in an approved secure container Prepare a forensics workstation Obtain the evidence from the secure container Make a forensic copy of the evidence Return the evidence to the secure container Process the copied evidence with computer forensics
tools
13 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.) An evidence custody form helps you document
what has been done with the original evidence and its forensics copies
Two types Single-evidence form
Lists each piece of evidence on a separate page
Multi-evidence form
14 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.)
15 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.)
16 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.) When crimes are committed using
computers, often the only evidence available to prosecute the person who committed the offense format. Illegal images will only be stored on a hard disk or other media
Proof of an intruder’s activities may be stored in log files
17 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.) Documents containing evidence of the
crime are only available by investigating computers used in the crime or
Those subjected to the crime By examining the digital contents of these computers, an investigation can reach a successful conclusion: Prosecuting the culprit Using information acquired from investigation to make existing systems more secure.
18 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.) Investigations always start with a
crime being committed and someone noticing it.
For an investigation to begin, someone must notice the crime has happened and report it to the appropriate authorities. If no complaint is made, the person gets away with the crime.
The key role in any investigation is the complainant (plantiff)
19 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.) People typically perform three major
roles when conducting an investigation.These roles are: First Responder Investigator Crime Scene Technician
First responder (a complainant) Identifies and protects crime scene Preserves volatile evidence
20 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.) Investigator (may be a member of law
enforcement or the computer incident response team) Establishes Chain of Command Conducts search of crime scene Maintains integrity of evidence
21 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.1 How an Investigation Starts (Cont.) Crime scene technician (individuals
who have been trained in computer forensics)
Preserves volatile evidence and duplicates disks
Shuts down systems for transport Tags and logs evidence Packages and transports evidence Processes evidence
22 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.2 Investigation Methodology Investigation methodology is the
practices, procedures, and techniques used to collect, store, analyze, and present information and evidence that is obtained through a computer forensics investigation. The individual steps to perform these tasks may vary from case to case and depend on the types of software and equipment used
Common practices will always be consistent.
23 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.2 Investigation Methodology (Cont.) The methodology of a computer
forensics investigation can be divided into three basic stages: Acquisition Authentication Analysis
24 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.2 Investigation Methodology (Cont.) Acquisition
The act or process of gathering information and evidence
The evidence in computer forensics is the data stored on the computer and not the computer that is been seized.
The data will be used to provide insight into the detail of a crime or other incident, and be used as evidence to convict a suspect.
Make an exact copy of everything stored on the hard disk.
25 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.2 Investigation Methodology (Cont.) Authentication
A process of ensuring that the acquired evidence is the same as the data that was originally seized. If the data that’s been acquired from a computer were corrupted, modified, or missing from the imaging process, it would not only affect your ability to accurately examine the machine’s contents, but could also make all of the evidence you find on the computer inadmissible in court.
26 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.2 Investigation Methodology (Cont.) Analysis
A process of examining and evaluating information.
When examining computer files, it is vital that they aren’t modified in any way.
This not only refers to changing the information in the file itself (such as by accidentally changing the values entered in a spreadsheet), but also modifying the properties of the file.
For example, open a file could change the date and time property that shows when the file was last accessed.
27 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.3 The Role of Evidence Identifies what evidence is present, and where it is located
Investigators must follow the rules of evidence depending on the laws of the locality where the crime has been committed
For example, if someone broke into server room and changed permissions on the server – the room and the server would be where you would find evidence.
Identifies how the evidence can be recovered.
Photographs the screen of a computer to record any volatile data displayed
Collects backup media
28 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.3 The Role of Evidence (Cont.) The finding from evidence admitted in
a criminal case can be used in a civil court and vice versa
The latest rules regarding digital evidence are updated in the US Department of Justice web site www.usdoj.gov.
29 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.4 Securing Evidence Securing evidence is a process that begins when a crime is first suspected, and continues after examination has been completed. If a trial, civil suit, or disciplinary hearing has ended, the evidence must remain secure in case of an appeal or other processes.
The integrity of evidence must be retained, so that original evidence is preserved in a state as close as possible to when it was initially acquired.
30 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.4 Securing Evidence (Cont.) If evidence are lost, altered, or
damaged, then you may not be able to even mention it in court
The credibility of how evidence was collected and examined may be called into question, making other pieces of evidence inadmissible as well
Evidence acquired from the crime scene depends upon the nature of the case and the alleged crime or violation.
31 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.4 Securing Evidence (Cont.) Standard tools to help secure at a
crime scene include: Digital camera • Screwdriver Sketchpad • Evidence bags Pencils • Needle-nose pliers Tape • Bolt cutters Gloves
32 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.4 Securing Evidence (Cont.) Evidence for a case may include an
entire computer and associated media includes: Securing the crime scene Volatile evidence (lost when a system is powered off or if power is disrupted), order of volatility as
Registers and cache Routing tables, ARP cache, process
tables, and kernel statistics Contents of system memory Temporary file systems Data on disk
33 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.4 Securing Evidence (Cont.) Sterilize all the media to be used in
the examination process Enter the crime scene, take snapshot of the scene and then carefully scan the data sources
Retain and document the state and integrity of items at the crime scene
34 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.4 Securing Evidence (Cont.) Taking custody of the entire
computer including hardware peripherals such keyboard, mouse and monitor. All floppy diskettes and other removable
media must be confiscated and taken to the forensic lab, for preservation and duplication
Use evidence bags to secure and catalog the evidence
Use computer safe products Antistatic bags Antistatic pads
35 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.4 Securing Evidence (Cont.) Use evidence tape to seal all
openings Floppy disk or CD/VCD drives USB drive Power supply electrical cord
Write your initials on tape to prove that evidence has not been tampered with
Consider computer specific temperature and humidity ranges
Use well padded containers Transport the evidence to the
forensic facility
36 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.5 Chain of Evidence Form Also known as chain of custody Route the evidence takes from the time you find it until the case is closed or goes to court
Important because It proves where a piece of evidence was at any given time and who was responsible for it.
You can establish that the integrity of evidence was not compromised.
37 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.5 Chain of Evidence Form (Cont.) Example
38 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.6 Before Investigating Following points should be kept in mind before starting the investigation: Have skilled professionals Work station and data recovery lab Alliance with a local District Attorney Define the methodology
39 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.6 Before Investigating (Cont.) When a crime does occur, certain
actions must also be taken before attempting to acquire evidence from a machine Preparing for an investigation Interviewing Search warrants
40 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.6 Before Investigating (Cont.) Preparing for an investigation
Following points need to be considered: Good understanding of the technical, legal, and evidentiary aspects of computers and networks
Proper methodology Steps for collecting and preserving the evidence
Steps for performing forensic analysis
41 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.6 Before Investigating (Cont.) Interviewing
Usually conducted to collect information from a witness or suspect About specific facts related to an investigation
Search warrants A legal document that permits members of law enforcement to search a specific location for evidence related to a criminal investigation, and possibly seize that evidence so it can be analyzed and possibly used in court
42 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.6 Before Investigating (Cont.) Executes the investigation
To carry out an investigation a search warrant from a court is required
Warrants can be issued for: Entire company Floor Room Just a device Car House Any Company Property
43 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.7 Professional Conduct Maintain the professional conduct at all times in an investigation This determines the credibility of a forensic investigator
Investigators must display the highest level of ethics and integrity This indicates how you are handling the case as a whole
Maintain a balance of morality and objectivity
44 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.2.7 Professional Conduct (Cont.) Professional detachment
Placing all of your attention on the work rather than the emotional or psychological stress factors that may be involved
Confidentiality is an essential feature which all forensic investigators must keep
Keep information about the case private and not reveal information to those who are not directly involved in the investigating the incident.
46 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.3.1 Policy and Procedure Development Policy Violations All employees of the company should
be informed of the company policy Employees using company’s resources for personal use not only waste company’s time and resources but they also violate company policy Employees misusing resources can cost companies millions of dollars
47 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.3.1 Policy and Procedure Development Policy Violations(Cont.) Misuse includes:
Surfing the Internet Sending personal e-mails Using company computers for personal tasks
Such employees should be traced and educated about the company policy
If the problem persists, action should be taken
48 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.3.2 Employee Termination Cases Majority of investigative work for
termination cases involves employee abuse of corporate assets
Internet abuse investigations To conduct an investigation you need: Organization’s Internet proxy server logs
Suspect computer’s IP address Suspect computer’s disk drive Your preferred computer forensics analysis tool
49 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.3.2 Employee Termination Cases (Cont.) Recommended steps
Use standard forensic analysis techniques and procedures
Use appropriate tools to extract all Web page URL information
Contact the network firewall administrator and request a proxy server log
Compare the data recovered from forensic analysis to the proxy server log
Continue analyzing the computer’s disk drive data
50 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.3.2 Warning Banners Warning banner is a text flashes at the point of access to a company computer.
Two items that sould appear: Text that states the ownership of the computer
Text that specifies appropriate use of the machine or Internet acces.
51 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.3.2 Warning Banners Flashes at the point of access Warns both authorized and unauthorized users
Unauthorized usage of the banner policy makes it easier to conduct investigation
Employees working are warned about the consequences if the companies policies are violated
52 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.3.2 Warning Banners (Cont.) Example of warning banners
54 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process To perform an investigation property,
it is important to follow set procedures, which detail the steps to be taken.
Follows these guidelines will: help you meet the goals of an incident.
Provide information that can be used to handle the incident
Avoid escalate into a more significant problem
55 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) Six steps should be followed:
Preparation Detection Containment Eradication Recovery Follow-up
56 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) Preparation
Preparation enables easy coordination among staffs
Providing baseline protection Using virus detection and eradication tools Providing training to the staffs
Detection This involves validating, identifying and reporting
the incident Determining the symptoms given in ‘how to
identify an incident’
57 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) Identifying the nature of the incident
Identify the events Protect the evidence Logging and making a report of whatever anomalies had occurred.
Some of the important symptoms that can be found: Intrusion detection system, because as an intrusion is traced by it an alarm starts, which make everybody alert about the incident
58 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) If a person continuously tries to
login unsuccessfully, into the systems to gain some unauthorized access
If the presence of new files or folders is found. This should be looked into seriously because that can be A virus, Worm, or Any malicious code
59 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) Containment
Limit the extent and intensity of an incident as quickly as possible
Avoid potentially compromising code like FTP downloads
Carry the data to any other secure network
Use of intrusion detection system to track hacker
Making complete backups of infected systems
Change the passwords of all the unaffected systems in the LAN.
60 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) Eradication
In this stage the documents are looked into to find and remove the cause of incident
Use standard anti-virus tools to remove virus/worms from storage medias
Determine cause and symptom Improve security measures by enabling firewalls, router filters or assigning new IIP address
Perform vulnerability analysis
61 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) Recovery
Determine the course and actions Monitor and validate systems Determine integrity of the backup itself by attempting to read its data
Verify success of operation and normal condition of system
Monitor the system by network loggers, system log files and potential back doors.
62 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.1 The Investigation Process (Cont.) Follow-up
Revise policies and procedures from the lessons learnt from the past
Determine the staff time required and perform the following cost analysis: Associated cost Extent to which the incidents disrupted the organization
Data lost and its value Damaged hardware and its cost
63 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.2 Evidence Assessment Processing evidence is a four-part set of procedures consisting of assessment, acquisition, examination, and documentation.
Evidence assessment is the first part of this process, and involves evaluating issues related to the case and the digital evidence that’s being sought.
Requires reviewing The search warrant or details of legal authorization to obtain the evidence,
The details of the case
64 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.2 Evidence Assessment (Cont.) Hardware and software that may be
involved, and The evidence you hope to acquire for later evaluation
65 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.3 Acquiring Evidence The following steps are performed to collect the evidence: Find the evidence Discover the relevant data Prepare an Order of Volatility Eradicate external avenues of alter Gather the evidence Prepare chain of custody
66 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.3 Acquiring Evidence (Cont.) Imaging the Evidence Disk
Capture an accurate image of the system as soon as possible.
The forensic copy can be created using various techniques such as: Using MS-DOS to create bit- stream copy of a floppy disk / Hard disk
Using Imaging software to acquire bit-stream copy of floppy disk / Hard disk
67 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.3 Acquiring Evidence (Cont.) Understanding Bit-stream Copies
68 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.3 Acquiring Evidence (Cont.)Understanding Bit-stream Copies
Bit-stream copy Bit-by-bit copy of the original storage medium
Exact copy of the original disk Different from a simple backup copy Backup software only copy known files
Backup software cannot copy deleted files, e-mail messages or recover file fragments
69 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.3 Acquiring Evidence (Cont.)Bit-stream image
File containing the bit-stream copy of all data on a disk or partition
Also known as forensic copy
70 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.4 Evidence Examination Analysis can be carried out using various forensic analysis tool such as EnCase, AccessData etc.
Working from an image of the original machine, files and other data can be extracted from the image to separate files, which can then be reviewed by the examiner.
Extraction of evidence from a hard disk can occur at either of two levels: Logical extraction Physical extraction
71 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.5 Documenting and Reporting of Evidence Investigators document their evidence
by creating an evidence form Evidence forms must be updated based on the changing technology and methods in recovering data
Functions of the evidence form include: Identify the evidence Identifying the investigator handling the case
Lists of the dates and the time that the case was handled
72 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.5 Documenting and Reporting of Evidence (Cont.) Example of evidence form
73 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
3.4.6 Closing the Case The investigator should include what was done and results in the final report
Basic report includes: who,what,when,where and how
In a good computing investigation the steps can be repeated and the result obtained are same every time
The report should explain the computer and network processes
Explanation should be provided for various processes and the inner working of the system and its various interrelated components
75 Chapter 3 Computer Investigation Process SAK4801 Introduction to Computer Forensics
Summary Take a systematic approach to the investigations
Take into account the nature of the case,instruction, and tools while planning the case
Apply standard problem-solving techniques
Always maintain a journal to make notes of everything
Create bit-stream copies of files using either the Diskcopy DOS utility or the Image tool
Keep track of the chain of custody of your evidence