1. Computer Forensics and Investigations as a Profession

(1)

Guide to Computer Forensics

and Investigations

Fourth Edition

Chapter 1

(2)

Objectives



Defie compᘦuter fmomreisics



Describe homw tom ᘦreᘦare fmomr compᘦuter

iivestigatiomis aid exᘦlaii the difereice

betweei law eifmomrcepeit ageicy aid

comrᘦomrate iivestigatiomis

(3)

Understanding Computer Forensics



Computer forensics

 Iivomlves ombtaiiiig aid aialyziig digital

iifmomrpatiomi

 As evideice ii civil, cripiial, omr adpiiistrative cases



FBI Compᘦuter Aialysis aid Resᘦomise Teap

(CART)

 Fomrped ii 1984 tom haidle the iicreasiig

(4)

(5)

Understanding Computer Forensics

(continued)



Fourth Amendment

tom the U.S. Comistitutiomi

 Promtects everyomie’s rights tom be secure ii their

ᘦersomi, resideice, aid ᘦromᘦerty  Fromp search aid seizure

(6)

Computer Forensics Versus Other

Related Disciplines

 Compᘦuter fmomreisics

 Iivestigates data that cai be retrieved fmromp a

compᘦuter’s hard disk omr omther stomrage pedia  Netwomrk fmomreisics

 Yields iifmomrpatiomi abomut homw a ᘦerᘦetratomr omr ai

attacker gaiied access tom a ietwomrk  Data recovery

 Recomveriig iifmomrpatiomi that was deleted by pistake

 Or lomst duriig a ᘦomwer surge omr server crash

(7)

Computer Forensics Versus Other

Related Disciplines (continued)

 Compᘦuter fmomreisics

 Task omfm recomveriig data that users have hiddei omr

deleted aid usiig it as evideice

 Evideice cai be inculpatory (“iicripiiatiig”) omr

exculpatory

 Disaster recovery

 Uses compᘦuter fmomreisics techiiques tom retrieve

iifmomrpatiomi their clieits have lomst

 Iivestigatomrs omfmtei womrk as a teap tom pake

(8)

(9)

Computer Forensics Versus Other

Related Disciplines (continued)



Enterprise network environment

 Large comrᘦomrate compᘦutiig systeps that pight

iiclude disᘦarate omr fmomrperly iideᘦeideit systeps



Vulnerability assessment and risk

management

gromuᘦ

 Tests aid verifes the iitegrity omfm staidalomie

womrkstatiomis aid ietwomrk servers

 Promfmessiomials ii this gromuᘦ have skills ii network

(10)

Computer Forensics Versus Other

Related Disciplines (continued)



Litigation

 Legal ᘦromcess omfm ᘦromviig guilt omr iiiomceice ii

comurt



Computer investigations

gromuᘦ

 Maiages iivestigatiomis aid comiducts fmomreisic

(11)

(12)

A Brief History of Computer Forensics

 By the 1970s, electromiic cripes were iicreasiig,

esᘦecially ii the fiaicial sectomr

 Momst law eifmomrcepeit omfcers didi’t kiomw eiomugh

abomut compᘦuters tom ask the right questiomis  Or tom ᘦreserve evideice fmomr trial

 1980s

 PCs gaiied ᘦomᘦularity aid difereit OSs eperged

 Disk Oᘦeratiig Systep (DOS) was available

 Fomreisics tomomls were sipᘦle, aid pomst were

(13)

A Brief History of Computer Forensics

(continued)



Mid-1980s

 Xtree Gomld aᘦᘦeared omi the parket

 Recomgiized fle tyᘦes aid retrieved lomst omr

deleted fles

 Nomrtomi DiskEdit somomi fmomllomwed

 Aid becape the best tomoml fmomr fidiig deleted fle



1987

 Aᘦᘦle ᘦromduced the Mac SE

 A Maciitomsh with ai exterial EasyDrive hard

(14)

(15)

(16)

A Brief History of Computer Forensics

(continued)



Early 1990s

 Tomomls fmomr compᘦuter fmomreisics were available  International Association of Computer

Investigative Specialists (IACIS)

 Traiiiig omi somfmtware fmomr fmomreisics iivestigatiomis

 IRS created search-warrait ᘦromgraps  ExᘦertWitiess fmomr the Maciitomsh

 First comppercial GUI somfmtware fmomr compᘦuter fmomreisics

(17)

A Brief History of Computer Forensics

(continued)

 Early 1990s (comitiiued)

 ExᘦertWitiess fmomr the Maciitomsh

 Recomvers deleted fles aid fmragpeits omfm deleted fles

 Large hard disks ᘦomsed ᘦrombleps fmomr iivestigatomrs

 Nomw

 iLomomk

 Maiitaiied by the IRS, lipited tom law eifmomrcepeit  EiCase

 Available fmomr ᘦublic omr ᘦrivate use  AccessData Fomreisic Tomomlkit (FTK)

(18)

(19)

Most Important Commercial Forensic

Software Today



EiCase

 liik Ch 1a omi py Web ᘦage  Gom tom Sapsclass.iifmom, thei

click CNIT 121 

FTK

 Liik Ch 1b

 Free depom versiomi (we will

(20)

Open Source Forensic Tools



Liiux-based

 Kiomᘦᘦix Live CDs  Helix

 Ubuitu  Backtrack

(21)

(22)

Understanding Case Law



Techiomlomgy is evomlviig at ai exᘦomieitial ᘦace

 Existiig laws aid statutes cai’t keeᘦ uᘦ chaige



Case law used whei statutes omr regulatiomis

domi’t exist



Case law allomws legal comuisel tom use ᘦreviomus

cases sipilar tom the curreit omie

 Because the laws domi’t yet exist

(23)

Developing Computer Forensics Resources



Yomu pust kiomw pomre thai omie compᘦutiig

ᘦlatfmomrp

 Such as DOS, Wiidomws 9x, Liiux, Maciitomsh,

aid curreit Wiidomws ᘦlatfmomrps



Jomii as paiy compᘦuter user gromuᘦs as yomu

cai



Computer Technology Investigators

Network (CTIN)

 Meets pomithly tom discuss ᘦrombleps that law

(24)

Developing Computer Forensics

Resources (continued)

 High Technology Crime Investigation

Association (HTCIA)

 Exchaiges iifmomrpatiomi abomut techiiques related

tom compᘦuter iivestigatiomis aid security  User gromuᘦs cai be helᘦfmul

 Build a ietwomrk omfm compᘦuter fmomreisics exᘦerts

aid omther ᘦromfmessiomials

 Aid keeᘦ ii tomuch thromugh e-pail

 Outside exᘦerts cai ᘦromvide detailed

(25)

Public and

Private

(26)

Preparing for Computer Investigations



Compᘦuter iivestigatiomis aid fmomreisics fmalls

iitom twom distiict categomries

 Public iivestigatiomis

 Private omr comrᘦomrate iivestigatiomis



Public iivestigatiomis

 Iivomlve gomveripeit ageicies resᘦomisible fmomr

cripiial iivestigatiomis aid ᘦromsecutiomi

 Orgaiizatiomis pust ombserve legal guideliies



Law omfm

search and seizure

(27)

(28)

(29)

Preparing for Computer Investigations

(continued)

 Deal with ᘦrivate compᘦaiies, iomi-law-eifmomrcepeit

gomveripeit ageicies, aid lawyers

 Arei’t gomveried directly by criminal law omr

Fomurth Apeidpeit issues

 Gomveried by iiterial ᘦomlicies that defie exᘦected

epᘦlomyee behaviomr aid comiduct ii the womrkᘦlace  Private comrᘦomrate iivestigatiomis alsom iivomlve

litigatiomi disᘦutes

 Iivestigatiomis are usually comiducted ii civil

(30)

Law Enforcement

(31)

Understanding Law Enforcement Agency

Investigations



Ii a

criminal case

, a susᘦect is tried fmomr a

cripiial omfeise

 Such as burglary, purder, omr pomlestatiomi



Compᘦuters aid ietwomrks are sompetipes omily

tomomls that cai be used tom comppit cripes

 Maiy states have added sᘦecifc laiguage tom

cripiial comdes tom defie cripes iivomlviig compᘦuters, such as thefmt omfm compᘦuter data 

Fomllomwiig the legal ᘦromcess

 Legal ᘦromcesses deᘦeid omi lomcal customp,

(32)

Understanding Law Enforcement Agency

Investigations (continued)



Fomllomwiig the legal ᘦromcess (comitiiued)

 Cripiial case fmomllomws three stages

(33)

Understanding Law Enforcement Agency

Investigations (continued)



Fomllomwiig the legal ᘦromcess (comitiiued)

 A cripiial case begiis whei sompeomie fids

evideice omfm ai illegal act

 Compᘦlaiiait pakes ai allegation, ai

accusatiomi omr suᘦᘦomsitiomi omfm fmact

 A ᘦomlice omfcer iiterviews the compᘦlaiiait aid

writes a reᘦomrt abomut the cripe

 Police blotter ᘦromvides a recomrd omfm clues tom cripes that have beei comppitted ᘦreviomusly

 Iivestigatomrs delegate, comllect, aid ᘦromcess the

(34)

Police Blotter

(35)

Understanding Law Enforcement Agency

Investigations (continued)



Fomllomwiig the legal ᘦromcess (comitiiued)

 Afmter yomu build a case, the iifmomrpatiomi is turied

omver tom the ᘦromsecutomr

 Afdavit

 Swomri statepeit omfm suᘦᘦomrt omfm fmacts abomut omr evideice omfm a cripe

Subpitted tom a judge tom request a search

warrait

 Have the afdavit notarized uider swomri omath

 Judge pust aᘦᘦromve aid sigi a search warrait

(36)

(37)

Corporate

(38)

Understanding Corporate Investigations

 Iivomlve ᘦrivate compᘦaiies aid lawyers whom

address compᘦaiy ᘦomlicy viomlatiomis aid litigatiomi disᘦutes

 Comrᘦomrate compᘦuter cripes cai iivomlve:

 E-pail harasspeit

 Falsifcatiomi omfm data

 Geider aid age discripiiatiomi

 Epbezzlepeit

 Sabomtage

(39)

Understanding Corporate Investigations

(continued)

 Establishiig compᘦaiy ᘦomlicies

 Oie way tom avomid litigatiomi is tom ᘦublish aid paiitaii

ᘦomlicies that epᘦlomyees fid easy tom read aid fmomllomw

 Published compᘦaiy ᘦomlicies ᘦromvide a line of

authority

 Fomr a busiiess tom comiduct iiterial iivestigatiomis

 Well-defied ᘦomlicies

 Give compᘦuter iivestigatomrs aid fmomreisic exapiiers

the authomrity tom comiduct ai iivestigatiomi

 Disᘦlayiig Wariiig Baiiers

(40)

Understanding Corporate Investigations

(continued)

 Disᘦlayiig Wariiig Baiiers (comitiiued)

 _{Warning banner}

 Usually aᘦᘦears whei a compᘦuter starts omr comiiects tom the compᘦaiy iitraiet, ietwomrk, omr virtual ᘦrivate ietwomrk  Iifmomrps eid users that the omrgaiizatiomi reserves the right

tom iisᘦect compᘦuter systeps aid ietwomrk trafc at will  Establishes the right tom comiduct ai iivestigatiomi

 Repomves exᘦectatiomi omfm ᘦrivacy

 As a comrᘦomrate compᘦuter iivestigatomr

(41)

(42)

Understanding Corporate Investigations

(continued)



Desigiatiig ai authomrized requester

 Authorized requester has the ᘦomwer tom comiduct

iivestigatiomis

 Pomlicy shomuld be defied by executive

paiagepeit

 Gromuᘦs that shomuld have direct authomrity tom

request compᘦuter iivestigatiomis  Comrᘦomrate Security Iivestigatiomis  Comrᘦomrate Ethics Ofce

 Comrᘦomrate Equal Epᘦlomypeit Oᘦᘦomrtuiity Ofce  Iiterial Auditiig

(43)

Understanding Corporate Investigations

(continued)

 Comiductiig security iivestigatiomis

 Tyᘦes omfm situatiomis

 Abuse omr pisuse omfm comrᘦomrate assets  E-pail abuse

 Iiteriet abuse

 Be sure tom distiiguish betweei a compᘦaiy’s abuse

ᘦrombleps aid ᘦomteitial cripiial ᘦrombleps

 Comrᘦomratiomis omfmtei fmomllomw the silver-platter doctrine

 What haᘦᘦeis whei a civiliai omr comrᘦomrate

(44)

Understanding Corporate Investigations

(continued)



Distiiguishiig ᘦersomial aid compᘦaiy ᘦromᘦerty

 Maiy compᘦaiy ᘦomlicies distiiguish betweei

ᘦersomial aid compᘦaiy compᘦuter ᘦromᘦerty

 Oie area that’s difcult tom distiiguish iivomlves

PDAs, cell ᘦhomies, aid ᘦersomial iomtebomomk compᘦuters

 The safme ᘦomlicy is tom iomt allomw aiy ᘦersomially

omwied devices tom be comiiected tom compᘦaiy-omwied resomurces

(45)

(46)

Maintaining Professional Conduct

 Professional conduct

 Deterpiies yomur credibility

 Iicludes ethics, pomrals, aid staidards omfm behaviomr

 Maiitaiiiig ombjectivity peais yomu pust fmomrp aid

sustaii uibiased omᘦiiiomis omfm yomur cases

 Maiitaii ai iivestigatiomi’s credibility by keeᘦiig

the case comifdeitial

 Ii the comrᘦomrate eiviromipeit, comifdeitiality is

critical

 Ii rare iistaices, yomur comrᘦomrate case pight

(47)

Maintaining Professional Conduct

(continued)



Eihaice yomur ᘦromfmessiomial comiduct by

comitiiuiig yomur traiiiig



Recomrd yomur fmact-fidiig pethomds ii a jomurial



Atteid womrkshomᘦs, comifmereices, aid veidomr

comurses

