File000115
Upcoming SlideShare
Loading in...5
×
 

File000115

on

  • 81 views

 

Statistics

Views

Total Views
81
Views on SlideShare
81
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

File000115 File000115 Presentation Transcript

  • Module II - Computer Forensics Investigation Process
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Howard Eisemann, CEO of Able Forensic Investigations Announces New TSCM Investigative Section Source: http://www.webwire.com/
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Investigating Computer Crime • Steps to Prepare for Computer Forensic Investigation • Investigation Process • Assess the Situation • Acquire the Evidence • Analyze the Evidence • Evidence Management • Report the Investigation • Present the Evidence to Court This module will familiarize you with:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Investigating Computer Crime Acquire the Evidence Assess the Situation Present the Evidence to Court Report the Investigation Evidence ManagementAnalyze the Evidence Steps to Prepare for a Computer Forensic Investigation
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Computer Crime Determine if an incident has occurred Find and interpret the clues left behind Conduct preliminary assessment to search for the evidence Search and seize the computer’s equipment Collect evidence that can be presented in the court of law or at a corporate inquiry
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Before the Investigation • Have work station and data recovery lab • Build Investigating Team • Enter into alliance with a local District Attorney • Review Policies and Laws • Notify Decision Makers and Acquire Authorization • Assess Risks • Build a Computer Investigation Toolkit • Define the methodology Before starting the investigation, make sure you:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Build a Forensics Workstation • Support hardware-based local and remote network drive duplication • Validate the image and the file’s integrity • Identify the date and time when the files have been modified, accessed, or created • Identify the deleted files • Support the removable media • Isolate and analyze free drive space The computer forensics workstation should have facilities and tools to: Computer forensics approach should be clearly defined before building the forensic work station
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Workstation
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Building the Investigation Team Determine the person who should respond to an incident for a successful internal computer investigation Identify team members and assign the responsibility to each team member Assign one team member as the technical lead for the investigation Keep the investigation team as small as possible to ensure confidentiality and to protect the organization against unwanted information leaks Ensure that every team member has the necessary clearance and authorization to conduct assigned tasks Engage a trusted external investigation team if your organization does not have personnel with the necessary skills
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited People Involved in Computer Forensics • Gives legal adviceAttorney: • Photographs the crime scene and the evidence gathered Photographer: • Responsible for the measures to be taken when an incident occurs Incident Responder: • Responsible for authorization of a policy or procedure for the investigation process Decision Maker:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited People Involved in Computer Forensics (cont’d) • Analyzes the incidents based on their occurrenceIncident Analyzer: • Examines the evidence acquired and sorting the useful evidence Evidence Examiner/Investigator: • Documents all the evidence and the phases present in the investigation process Evidence Documenter: • Manages the evidence in such a way that they are admissible in the court of law Evidence Manager: • Offers a formal opinion as a testimony in the court of law Expert Witness:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Review Policies and Laws It is essential to understand the laws that apply to the investigation including the internal organization policies before starting the investigation process Identify possible concerns related to applicable Federal statutes (such as the Electronic Communications Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (CCPA), both as amended by the USA PATRIOT ACT of 2001, and/or the Privacy Protection Act of 1980 (PPA)), State statutes, and local policies and laws • Determine the extent of the authority to search • Determine the legal authorities for conducting an investigation • Consult with a legal advisor with issues raised for any improper handling of the investigation • Ensure the customer’s privacy and confidentiality The best practices in reviewing policies and laws include:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Laws 18 USC §1029. Fraud and related activity in connection with access devices 18 USC §1030. Fraud and related activity in connection with computers 18 USC §1361-2 - Prohibits malicious mischief Rule 402. Relevant Evidence Generally Admissible; Irrelevant Evidence Inadmissible Rule 901. Requirement of Authentication or Identification Rule 608. Evidence of Character and Conduct of Witness Rule 609. Impeachment by evidence of conviction of crime
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensics Laws (cont’d) Rule 502. Attorney-Client Privilege and Work Product; Limitations on Waiver Rule 614. Calling and Interrogation of Witnesses by Court Rule 701. Opinion Testimony by Lay Witnesses Rule 705. Disclosure of Facts or Data Underlying Expert Opinion Rule 1002. Requirement of Original Rule 1003. Admissibility of Duplicates
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Notify Decision Makers and Acquire Authorization • Obtain the authorization from an authorized decision maker to conduct the investigation • Document all the events and decisions that occurred during the incident and incident response • Depending on the scope of the incident and absence of any national security issues or life safety issues, the first priority is to protect the organization from further harm Best practices to get authorization include: Decision makers are the people who implements policies and procedures for handling an incident Notify the decision maker to be authorized when there is no written incident response policies and procedures After the authorization, assess the situation and define the course of action
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Risk Assessment Identify the incident and the problems caused by it Characterize the incident according to its severity Determine the data loss or damage caused to the computer due to the incident Determine the possibility of other devices and systems being affected by the incident Break the communications with other devices to prevent the incident from spreading
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Build a Computer Investigation Toolkit • A laptop computer with appropriate software tools • Operating systems and patches • Application media • Write-protected backup devices • Blank media • Basic networking equipment • Cables A computer investigation toolkit contains: Investigators need a collection of hardware and software tools to acquire data during an investigation
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Analyze the Data Acquire the Data Assess Evidence and Case Evaluate and Secure the Scene Collect the Evidence Secure the Evidence Obtain Search Warrant
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps to Prepare for a Computer Forensic Investigation Suspend automated document destruction and recycling policies that may pertain to any relevant media or users at issue Secure any relevant media – including hard drives, laptops, Blackberries, PDAs, cell phones, CD-ROMs, DVDs, USB drives, and MP3 players – the subject may have used Do not turn the computer off or on, run any programs, or attempt to access data on a computer. An expert will have the appropriate tools and experience to prevent data from overwriting, damage from static electricity, or other spoliation concerns
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps to Prepare for a Computer Forensic Investigation (cont’d) Gather a list of names, email addresses, and other identifying information about those with whom the subject might have communicated Obtain passwords to access the encrypted or password-protected files, if possible Once the machine is secured, obtain information about the machine, peripherals, and the network to which it is connected Identify the type of data you are seeking, the information you are looking for, and the urgency level of the examination
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps to Prepare for a Computer Forensic Investigation (cont’d) Develop a list of key words or phrases to use when searching for relevant data Maintain a "chain of custody" for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession If the computer is accessed before the forensic expert is able to secure a mirror image, list the user(s) that accessed it, what files they accessed, and when this occurred, and find out why the computer was accessed
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Obtain Search Warrant Analyze the Data Acquire the Data Assess Evidence and Case Evaluate and Secure the Scene Collect the Evidence Secure the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Obtain Search Warrant To carry out an investigation, a search warrant from a court is required Warrants can be issued for: • Entire company, floor, room, a device, car, house , or any company owned property Where will this search be conducted? Is it practical to search the computer system on site, or must the examination be conducted at a field office, or laboratory? If agents remove the system from the premises to conduct the search, must they return the computer system, or copies of the seized data, to its owner/user before trial?
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example of Search Warrant
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Searches Without a Warrant "When destruction of evidence is imminent, a warrantless seizure of that evidence is justified if there is probable cause to believe that the item seized constitutes evidence of criminal activity." United States v. David. 756 F. Supp. 1385, 1392 (D. Nev. l991) Agents may search a place or object without a warrant or, for that matter, without probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Evaluate and Secure the Scene Analyze the Data Acquire the Data Assess Evidence and Case Obtain Search Warrant Collect the Evidence Secure the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Forensic Photography Snapshots of the evidence and the incident prone areas need to be taken that help in the forensic process Take the photographs of all the evidence or the one which helps in evidence finding Label the photographed evidence according to the methodology Photograph the evidence after the label is applied Digital photography helps to capture, edit, and transfer the images faster Digital photography helps in correcting the perspective of the image which is used in taking the measurements of the evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gather the Preliminary Information at the Scene • Date and time • Place and location of the incident • Evidence from a volatile system and non-volatile system • Details of the person (s) for the incidents • Name and identification of the person who can serve as a potential witness When an incident occurs, the following information should be gathered:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder The first person at the scene of the incidence should collect and preserve as much evidence as possible Evidence on all sorts of devices present at the scene of the evidence should be collected Follow a law while collecting the evidence or contact computer forensic examiner as soon as possible
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Collect the Evidence Analyze the Data Acquire the Data Assess Evidence and Case Obtain Search Warrant Evaluate and Secure the Scene Secure the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect Physical Evidence Collect electronic devices or any other media that is found at the crime scene To preserve the integrity of the physical evidence, all the pieces of evidence collected should be handled carefully The objects identified as evidence should be tagged The tag provides detailed information about the evidence The physical evidence includes: • Removable media • Cables • Publications • All computer equipment, including peripherals • Items taken from the trash • Miscellaneous items
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collection Form EVIDENCE Submitting Agency: ______________________________________________________ Case No: ______________________________________________________ Item No: ______________________________________________________ Date of Collection: ______________________________________________________ Time of Collection: ______________________________________________________ Collected by: ______________________________________________________ Badge No: ______________________________________________________ Description of Enclosed Evidence: ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ Location Where Collected: ________________________________________________________________________ ________________________________________________________________________ ________________________________________________________________________ Type of Offense: ______________________________________________________ Victim’s Full Name: ______________________________________________________ Suspect’s Full Name: ___________________________________________________
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect Electronic Evidence List the systems involved in the incident and from which systems evidence can be collected For each system, obtain the relevant order of volatility Record the extent of the system's clock drift Collect the evidence from the people who are part of the incident Capture the electronic serial number of the drive and other user-accessible, host-specific data
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect Electronic Evidence (cont’d) • Office desktop computer/workstation • Notebook computer • Home computer • Computer of personal assistants/secretary/staff • Palmtop devices • Network file servers/mainframes/mini-computers Data Files: • System-wide backups (monthly/weekly/incremental) • Disaster recovery backups (stored off site) • Personal or “ad hoc” backups (look for diskettes and other portable media) Backup Tapes: Electronic evidence consists of:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collect Electronic Evidence (cont’d) • Tape archives • Replaced/removed drives • Floppy diskettes and other portable media (e.g., CDs, Zip cartridges) Other Media Sources:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Guidelines in Acquiring Evidence Sample banners are used to record the system activities when used by the unauthorized user In Warning banners, organizations give clear and unequivocal notice to intruders that by signing onto the system they are expressly consenting to such monitoring The equipment is seized which is connected to the case, knowing the role of the computer which will indicate what should be taken At the time of seizing process, the computer should not be powered down Ensure that the examiner’s storage device is forensically clean when acquiring the evidence Write protection should be initiated, if available, to preserve and protect the original evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Secure the Evidence Analyze the Data Acquire the Data Assess Evidence and Case Obtain Search Warrant Evaluate and Secure the Scene Collect the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Secure the Evidence Secure the evidence without damaging the evidence’s identity Place the evidence in a secured site by not allowing any intruders to access it Maintain the chain of custody to properly track the evidence Identify digital and non digital artifacts to separate the evidence according to their behavior Maintain a log book at the entrance of the lab to log in the timings and name of the person visited Place an intrusion alarm system in the entrance of the forensic lab Contact law enforcement agencies to know how to preserve the evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Management Evidence management helps in protecting the true temperament of the evidence This is achieved by proper handling and documentation of the evidence The procedures used to protect the evidence and document when collecting and shipping are: • The logbook of the project • A tag to uniquely identify and evidence • A chain of custody record At the time of evidence transfer, both sender and receiver need to give the information about date and time of transfer of incident in the chain of custody record
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody • Governs the collection, handling, storage, testing, and disposition of evidence • Safeguards against tampering with or substitution of evidence • Documents that these steps have been carried out Functions: • Sample collector • Sample description, type, and number • Sampling data and location • Any custodians of the sample The chain of custody form should identify: Chain of custody is a legal document that demonstrates the progression of evidence as they travel from original evidence location to the forensic laboratory
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form efor Case # Client Ref. # Client Item # Description: Make: Model: Serial # Other Identifying # Client Item # Description: Make: Model: Serial # Other Identifying # Client Item # Description: Make: Model: Serial # Other Identifying # CHAIN OF CUSTODY Client Item #’s Date/Time Released By Received By Reason Date Name/Client Name/Client Time Signature Signature
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Analyze the Data Assess Evidence and Case Acquire the Data Secure the Evidence Obtain Search Warrant Evaluate and Secure the Scene Collect the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Original Evidence Should NEVER be Used for Analysis
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Duplicate the Data (Imaging) Duplicate the data to preserve the original data The data should be duplicated bit by bit to represent the same original data The data can be duplicated either through hardware or software The duplicated data is sent to the forensic lab
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Verify Image Integrity Calculate and match the MD5 hash for the original evidence and the forensic image Same hash values shows that the image is same as the evidence Tools for calculating hash value: • Md5sum • Free Hash
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recover Lost or Deleted Data • Partition Recovery Software • Data Recovery Wizard • PCInspector File Recovery • TestDisk and PhotoRec • ISOBuster • SoftPerfect File Recovery Few software used to recover the data: Collect the lost or deleted data for evidence in the internal and external devices
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Analyze the Data Assess Evidence and Case Acquire the Data Secure the Evidence Obtain Search Warrant Evaluate and Secure the Scene Collect the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Analysis Thoroughly analyze the acquired data to draw conclusions related to the case Data analysis techniques depend on the scope of the case or client’s requirements This phase includes: • Analysis of the file’s content, date, and time of file creation and modification, users associated with file creation, access, and file modification, and physical storage location of the file • Timeline generation Identify and categorize data in order of relevance
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Data Analysis Tools Forensic tools help in sorting and analysis of a large volume of data to draw meaningful conclusions Examples of data analysis tools: • AccessData's FTK • Guidance Software's EnCase • Brian Carrier's Sleuth Kit
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Testify in the Court as an Expert Witness Prepare the Final Report Assess Evidence and Case Analyze the Data Acquire the Data Secure the Evidence Obtain Search Warrant Evaluate and Secure the Scene Collect the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Assessment The digital evidence should be thoroughly assessed with respect to the scope of the case to determine the course of action Conduct a thorough assessment by reviewing the search warrant or other legal authorization, case detail, nature of the hardware and software, potential evidence sought, and the circumstances surrounding the acquisition of the evidence to be examined
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Assessment Review the case investigator’s request for service Identify the legal authority for the forensic examination request Document the chain of custody Discuss whether other forensic processes need to be performed on the evidence (e.g., DNA analysis, fingerprint, tool marks, trace, and questioned documents)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Assessment (cont’d) Discuss the possibility of pursuing other investigative avenues to obtain additional digital evidence (e.g., sending a preservation order to an Internet service provider (ISP), identifying remote storage locations, obtaining email) Consider the relevance of peripheral components to the investigation; for example, in forgery or fraud cases, consider non-computer equipment such as laminators, credit card blanks, check paper, scanners, and printers (In child pornography cases, consider digital cameras) Determine the potential evidence being sought (e.g., photographs, spreadsheets, documents, databases, and financial records) Determine additional information regarding the case (e.g., aliases, email accounts, email addresses, ISP used, names, network configuration and users, system logs, passwords, user names) which may be obtained through interviews with the system administrator, users, and employees
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Processing Location Assessment Assess the evidence to determine where to conduct the examination It is preferable to complete the examination in a controlled environment, such as a dedicated forensic work area or laboratory Whenever circumstances require an onsite examination to be conducted, attempt to control the environment
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Processing Location Assessment (cont’d) • The time needed onsite to accomplish evidence recovery • Logistic and personnel concerns associated with long-term deployment • The impact on the business due to a lengthy search • The suitability of the equipment, resources, media, training, and experience for an onsite examination Assessment considerations include:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Best Practices Analyze the physical and logical evidence for their value to the case Use a safe cabinet to secure the evidence Examine network service logs for any events of interest Examine the large amount of host data, where only a portion of that data might be relevant to the incident Perform offline analysis on a bit-wise copy of the original evidence Search the contents of all gathered files to help identify files that may be of interest Review the time and date stamps in the file system metadata Correlate the file headers to the corresponding file extensions to identify any mismatches Review the file ‘s names for relevance and patterns
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Assess Evidence and Case Testify in the Court as an Expert Witness Prepare the Final Report Analyze the Data Acquire the Data Secure the Evidence Obtain Search Warrant Evaluate and Secure the Scene Collect the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documentation in Each Phase • An initial estimate of the impact of the situation on the organization's business • Summaries of interviews with users and system administrators • Outcomes of any legal and third-party interactions • Reports and logs generated by tools used during the assessment phase • A proposed course of action Access the data: • Create a check-in/check-out list that includes information such as the name of the person examining the evidence, the exact date and time they check out the evidence and the exact date and time they return it Acquire the data:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documentation in Each Phase (cont’d) • Document the information regarding the number and type of operating system(s) • Document the file’s content • Document the result of correlation of files to the installed applications • Document the user’s configuration settings Analyze the data:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Gather and Organize Information • Gather all documentation and notes from the Assess, Acquire, and Analyze phases • Identify parts of the documentation that are relevant to the investigation • Identify facts to support the conclusions you will make in the report • Create a list of all evidence to be submitted with the report • List any conclusions you wish to make in your report • Organize and classify the information you gathered to ensure that a you get a clear and concise report Procedures used to gather and organize the required documentation are: Documentations in each phase should be identified for their relevancy in the investigation
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing the Investigation Report • Clearly explain the objective of the report, the target audience, and why the report was prepared Purpose of Report: • List all authors and co-authors of the report, including their positions, responsibilities during the investigation, and contact details Author of Report: • Report writing is a crucial stage in the outcome of the investigation • The report should be clear, concise, and written for the appropriate audience Report Writing: The information included in the report section are:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing the Investigation Report (cont’d) • Introduce the incident and explain its impact; the summary should explain clearly about what and how the incident occurred Incident Summary: • Provide descriptions of the evidence that was acquired during the investigation Evidence: • Provide a detailed description of what evidence was analyzed and the analysis methods that were used • Explain the findings of the analysis • List the procedures that were followed during the investigation and any analysis techniques that were used • Include proof of your findings, such as utility reports and log entries Details:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing the Investigation Report (cont’d) • Summarize the outcome of the investigation • Cite specific evidence to prove the conclusion • The conclusion should be clear and unambiguous Conclusion: • Include any background information referred to throughout the report, such as network diagrams, documents that describe the computer investigation procedures used, and overviews of technologies that are involved in the investigation • It is important that supporting documents provide enough information for the report reader to understand the incident as completely as possible Supporting documents:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Investigation Methodology Assess Evidence and Case Prepare the Final Report Testify in the Court as an Expert Witness Analyze the Data Acquire the Data Secure the Evidence Obtain Search Warrant Evaluate and Secure the Scene Collect the Evidence
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Expert Witness • Investigate a crime • Evaluate the evidence • Educate the public and court • Testify in court The role of an expert witness is to: • Assist the court in understanding intricate evidence • Aid the attorney to get to the truth • Truthfully, objectively and fully express his or her expert opinion, without regard to any views or influence Role of expert witness in bringing evidence to court: Expert witness is a person who has a thorough knowledge on his subject, making others to legally believe in his opinion
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Testifying in the Court Room Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and sometimes-complex technology • Familiarize with the usual procedures that are followed during a trial • The attorney introduces the expert witness with high regards • The opposing counsel may try to discredit the expert witness • The attorney would lead the expert witness through the evidence • Later, it is followed by the cross examination with the opposing counsel Things that take place in the court room:
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Closing the Case The investigator should include what was done and results in the final report Basic report includes: who, what, when, where, and how In a good computing investigation, the steps can be repeated and the result obtained are same every time The report should explain the computer and network processes and inner working of the system The investigator should provide explanation for various processes and its various interrelated components
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Maintaining Professional Conduct Consider all the available facts that account to the crime scene Ignore external biases to maintain the integrity of the fact-finding in all investigations Keep the case confidential Stay current on the latest technical changes in computer hardware and software, networking, and forensic tools Maintain a chain of custody Follow these criteria to maintain professional conduct: • Credibility • Ethics and Morals • Standards of behavior • Maintain objectivity and confidentiality • Enriched technical knowledge • Conduct with integrity
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating a Company Policy Violation Employees using company’s resources for personal use not only waste company’s time and resources but they also violate the company’s policy Trace such employees and educate them about the company’s policy, and if the problem persists, perform suitable action Employees misusing resources can cost companies millions of dollars Misusing resources includes: • Surfing the Internet • Sending personal emails • Using company computers for personal tasks While investigating, the business must continue with minimal interruption
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Service Providers Service Providers Links CFS http://www.computer-forensic.com/ Lab systems http://www.labsystems.co.in/ DataBank Services http://www.databankservices.com/ Computer Legal Experts http://www.ontonet.com/default.asp Data Triage Technologies http://www.datatriage.com/computer_forens ics.php New York Computer Forensic Services http://www.newyorkcomputerforensics.com/ Global Digital Forensics http://www.evestigate.com/
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Collect evidence that can be presented in the court of law or at a corporate inquiry Maintain a "chain of custody" for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession Obtain proper written authorization from an authorized decision maker to conduct the computer investigation The first person at the scene of the incidence should collect and preserve as much evidence as possible
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited