Guide to Computer Forensics
and Investigations
Fourth Edition
Chapter 1
Objectives
Defie compᘦuter fmomreisics
Describe homw tom ᘦreᘦare fmomr compᘦuter
iivestigatiomis aid exᘦlaii the difereice
betweei law eifmomrcepeit ageicy aid
comrᘦomrate iivestigatiomis
Understanding Computer Forensics
Computer forensics
Iivomlves ombtaiiiig aid aialyziig digital
iifmomrpatiomi
As evideice ii civil, cripiial, omr adpiiistrative cases
FBI Compᘦuter Aialysis aid Resᘦomise Teap
(CART)
Fomrped ii 1984 tom haidle the iicreasiig
Understanding Computer Forensics
(continued)
Fourth Amendment
tom the U.S. Comistitutiomi
Promtects everyomie’s rights tom be secure ii their
ᘦersomi, resideice, aid ᘦromᘦerty Fromp search aid seizure
Computer Forensics Versus Other
Related Disciplines
Compᘦuter fmomreisics
Iivestigates data that cai be retrieved fmromp a
compᘦuter’s hard disk omr omther stomrage pedia Netwomrk fmomreisics
Yields iifmomrpatiomi abomut homw a ᘦerᘦetratomr omr ai
attacker gaiied access tom a ietwomrk Data recovery
Recomveriig iifmomrpatiomi that was deleted by pistake
Or lomst duriig a ᘦomwer surge omr server crash
Computer Forensics Versus Other
Related Disciplines (continued)
Compᘦuter fmomreisics
Task omfm recomveriig data that users have hiddei omr
deleted aid usiig it as evideice
Evideice cai be inculpatory (“iicripiiatiig”) omr
exculpatory
Disaster recovery
Uses compᘦuter fmomreisics techiiques tom retrieve
iifmomrpatiomi their clieits have lomst
Iivestigatomrs omfmtei womrk as a teap tom pake
Computer Forensics Versus Other
Related Disciplines (continued)
Enterprise network environment
Large comrᘦomrate compᘦutiig systeps that pight
iiclude disᘦarate omr fmomrperly iideᘦeideit systeps
Vulnerability assessment and risk
management
gromuᘦ
Tests aid verifes the iitegrity omfm staidalomie
womrkstatiomis aid ietwomrk servers
Promfmessiomials ii this gromuᘦ have skills ii network
Computer Forensics Versus Other
Related Disciplines (continued)
Litigation
Legal ᘦromcess omfm ᘦromviig guilt omr iiiomceice ii
comurt
Computer investigations
gromuᘦ
Maiages iivestigatiomis aid comiducts fmomreisic
A Brief History of Computer Forensics
By the 1970s, electromiic cripes were iicreasiig,
esᘦecially ii the fiaicial sectomr
Momst law eifmomrcepeit omfcers didi’t kiomw eiomugh
abomut compᘦuters tom ask the right questiomis Or tom ᘦreserve evideice fmomr trial
1980s
PCs gaiied ᘦomᘦularity aid difereit OSs eperged
Disk Oᘦeratiig Systep (DOS) was available
Fomreisics tomomls were sipᘦle, aid pomst were
A Brief History of Computer Forensics
(continued)
Mid-1980s
Xtree Gomld aᘦᘦeared omi the parket
Recomgiized fle tyᘦes aid retrieved lomst omr
deleted fles
Nomrtomi DiskEdit somomi fmomllomwed
Aid becape the best tomoml fmomr fidiig deleted fle
1987
Aᘦᘦle ᘦromduced the Mac SE
A Maciitomsh with ai exterial EasyDrive hard
A Brief History of Computer Forensics
(continued)
Early 1990s
Tomomls fmomr compᘦuter fmomreisics were available International Association of Computer
Investigative Specialists (IACIS)
Traiiiig omi somfmtware fmomr fmomreisics iivestigatiomis
IRS created search-warrait ᘦromgraps ExᘦertWitiess fmomr the Maciitomsh
First comppercial GUI somfmtware fmomr compᘦuter fmomreisics
A Brief History of Computer Forensics
(continued)
Early 1990s (comitiiued)
ExᘦertWitiess fmomr the Maciitomsh
Recomvers deleted fles aid fmragpeits omfm deleted fles
Large hard disks ᘦomsed ᘦrombleps fmomr iivestigatomrs
Nomw
iLomomk
Maiitaiied by the IRS, lipited tom law eifmomrcepeit EiCase
Available fmomr ᘦublic omr ᘦrivate use AccessData Fomreisic Tomomlkit (FTK)
Most Important Commercial Forensic
Software Today
EiCase
liik Ch 1a omi py Web ᘦage Gom tom Sapsclass.iifmom, thei
click CNIT 121
FTK
Liik Ch 1b
Free depom versiomi (we will
Open Source Forensic Tools
Liiux-based
Kiomᘦᘦix Live CDs Helix
Ubuitu Backtrack
Understanding Case Law
Techiomlomgy is evomlviig at ai exᘦomieitial ᘦace
Existiig laws aid statutes cai’t keeᘦ uᘦ chaige
Case law used whei statutes omr regulatiomis
domi’t exist
Case law allomws legal comuisel tom use ᘦreviomus
cases sipilar tom the curreit omie
Because the laws domi’t yet exist
Developing Computer Forensics Resources
Yomu pust kiomw pomre thai omie compᘦutiig
ᘦlatfmomrp
Such as DOS, Wiidomws 9x, Liiux, Maciitomsh,
aid curreit Wiidomws ᘦlatfmomrps
Jomii as paiy compᘦuter user gromuᘦs as yomu
cai
Computer Technology Investigators
Network (CTIN)
Meets pomithly tom discuss ᘦrombleps that law
Developing Computer Forensics
Resources (continued)
High Technology Crime Investigation
Association (HTCIA)
Exchaiges iifmomrpatiomi abomut techiiques related
tom compᘦuter iivestigatiomis aid security User gromuᘦs cai be helᘦfmul
Build a ietwomrk omfm compᘦuter fmomreisics exᘦerts
aid omther ᘦromfmessiomials
Aid keeᘦ ii tomuch thromugh e-pail
Outside exᘦerts cai ᘦromvide detailed
Public and
Private
Preparing for Computer Investigations
Compᘦuter iivestigatiomis aid fmomreisics fmalls
iitom twom distiict categomries
Public iivestigatiomis
Private omr comrᘦomrate iivestigatiomis
Public iivestigatiomis
Iivomlve gomveripeit ageicies resᘦomisible fmomr
cripiial iivestigatiomis aid ᘦromsecutiomi
Orgaiizatiomis pust ombserve legal guideliies
Law omfm
search and seizure
Preparing for Computer Investigations
(continued)
Private omr comrᘦomrate iivestigatiomis
Deal with ᘦrivate compᘦaiies, iomi-law-eifmomrcepeit
gomveripeit ageicies, aid lawyers
Arei’t gomveried directly by criminal law omr
Fomurth Apeidpeit issues
Gomveried by iiterial ᘦomlicies that defie exᘦected
epᘦlomyee behaviomr aid comiduct ii the womrkᘦlace Private comrᘦomrate iivestigatiomis alsom iivomlve
litigatiomi disᘦutes
Iivestigatiomis are usually comiducted ii civil
Law Enforcement
Understanding Law Enforcement Agency
Investigations
Ii a
criminal case
, a susᘦect is tried fmomr a
cripiial omfeise
Such as burglary, purder, omr pomlestatiomi
Compᘦuters aid ietwomrks are sompetipes omily
tomomls that cai be used tom comppit cripes
Maiy states have added sᘦecifc laiguage tom
cripiial comdes tom defie cripes iivomlviig compᘦuters, such as thefmt omfm compᘦuter data
Fomllomwiig the legal ᘦromcess
Legal ᘦromcesses deᘦeid omi lomcal customp,
Understanding Law Enforcement Agency
Investigations (continued)
Fomllomwiig the legal ᘦromcess (comitiiued)
Cripiial case fmomllomws three stages
Understanding Law Enforcement Agency
Investigations (continued)
Fomllomwiig the legal ᘦromcess (comitiiued)
A cripiial case begiis whei sompeomie fids
evideice omfm ai illegal act
Compᘦlaiiait pakes ai allegation, ai
accusatiomi omr suᘦᘦomsitiomi omfm fmact
A ᘦomlice omfcer iiterviews the compᘦlaiiait aid
writes a reᘦomrt abomut the cripe
Police blotter ᘦromvides a recomrd omfm clues tom cripes that have beei comppitted ᘦreviomusly
Iivestigatomrs delegate, comllect, aid ᘦromcess the
Police Blotter
Understanding Law Enforcement Agency
Investigations (continued)
Fomllomwiig the legal ᘦromcess (comitiiued)
Afmter yomu build a case, the iifmomrpatiomi is turied
omver tom the ᘦromsecutomr
Afdavit
Swomri statepeit omfm suᘦᘦomrt omfm fmacts abomut omr evideice omfm a cripe
Subpitted tom a judge tom request a search
warrait
Have the afdavit notarized uider swomri omath
Judge pust aᘦᘦromve aid sigi a search warrait
Corporate
Understanding Corporate Investigations
Private omr comrᘦomrate iivestigatiomis
Iivomlve ᘦrivate compᘦaiies aid lawyers whom
address compᘦaiy ᘦomlicy viomlatiomis aid litigatiomi disᘦutes
Comrᘦomrate compᘦuter cripes cai iivomlve:
E-pail harasspeit
Falsifcatiomi omfm data
Geider aid age discripiiatiomi
Epbezzlepeit
Sabomtage
Understanding Corporate Investigations
(continued)
Establishiig compᘦaiy ᘦomlicies
Oie way tom avomid litigatiomi is tom ᘦublish aid paiitaii
ᘦomlicies that epᘦlomyees fid easy tom read aid fmomllomw
Published compᘦaiy ᘦomlicies ᘦromvide a line of
authority
Fomr a busiiess tom comiduct iiterial iivestigatiomis
Well-defied ᘦomlicies
Give compᘦuter iivestigatomrs aid fmomreisic exapiiers
the authomrity tom comiduct ai iivestigatiomi
Disᘦlayiig Wariiig Baiiers
Understanding Corporate Investigations
(continued)
Disᘦlayiig Wariiig Baiiers (comitiiued)
Warning banner
Usually aᘦᘦears whei a compᘦuter starts omr comiiects tom the compᘦaiy iitraiet, ietwomrk, omr virtual ᘦrivate ietwomrk Iifmomrps eid users that the omrgaiizatiomi reserves the right
tom iisᘦect compᘦuter systeps aid ietwomrk trafc at will Establishes the right tom comiduct ai iivestigatiomi
Repomves exᘦectatiomi omfm ᘦrivacy
As a comrᘦomrate compᘦuter iivestigatomr
Understanding Corporate Investigations
(continued)
Desigiatiig ai authomrized requester
Authorized requester has the ᘦomwer tom comiduct
iivestigatiomis
Pomlicy shomuld be defied by executive
paiagepeit
Gromuᘦs that shomuld have direct authomrity tom
request compᘦuter iivestigatiomis Comrᘦomrate Security Iivestigatiomis Comrᘦomrate Ethics Ofce
Comrᘦomrate Equal Epᘦlomypeit Oᘦᘦomrtuiity Ofce Iiterial Auditiig
Understanding Corporate Investigations
(continued)
Comiductiig security iivestigatiomis
Tyᘦes omfm situatiomis
Abuse omr pisuse omfm comrᘦomrate assets E-pail abuse
Iiteriet abuse
Be sure tom distiiguish betweei a compᘦaiy’s abuse
ᘦrombleps aid ᘦomteitial cripiial ᘦrombleps
Comrᘦomratiomis omfmtei fmomllomw the silver-platter doctrine
What haᘦᘦeis whei a civiliai omr comrᘦomrate
Understanding Corporate Investigations
(continued)
Distiiguishiig ᘦersomial aid compᘦaiy ᘦromᘦerty
Maiy compᘦaiy ᘦomlicies distiiguish betweei
ᘦersomial aid compᘦaiy compᘦuter ᘦromᘦerty
Oie area that’s difcult tom distiiguish iivomlves
PDAs, cell ᘦhomies, aid ᘦersomial iomtebomomk compᘦuters
The safme ᘦomlicy is tom iomt allomw aiy ᘦersomially
omwied devices tom be comiiected tom compᘦaiy-omwied resomurces
Maintaining Professional Conduct
Professional conduct
Deterpiies yomur credibility
Iicludes ethics, pomrals, aid staidards omfm behaviomr
Maiitaiiiig ombjectivity peais yomu pust fmomrp aid
sustaii uibiased omᘦiiiomis omfm yomur cases
Maiitaii ai iivestigatiomi’s credibility by keeᘦiig
the case comifdeitial
Ii the comrᘦomrate eiviromipeit, comifdeitiality is
critical
Ii rare iistaices, yomur comrᘦomrate case pight
Maintaining Professional Conduct
(continued)
Eihaice yomur ᘦromfmessiomial comiduct by
comitiiuiig yomur traiiiig
Recomrd yomur fmact-fidiig pethomds ii a jomurial
Atteid womrkshomᘦs, comifmereices, aid veidomr
comurses