File000118

1,275 views
1,049 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,275
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
30
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

File000118

  1. 1. Module V - First Responder Procedures
  2. 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Sam, a system administrator, was surprised to see critical files missing from his office server. He suspected that the server was compromised. He did not want to take a chance by investigating the system himself. Sam reported the incident to Bob, an Information Security Officer employed with the same firm. Bob took note of the request from Sam. Being a CHFI, seizing Sam’s system and following the basic procedures in investigating the case was easy for Bob. He investigated the image file of the hard disk of the server. His investigation revealed the presence of rootkit in one of the directories of the server During the investigation process, Sam recalled downloading a patch management tool from the Internet from a third party source. He realized that the rootkit could have been bundled with the patch management tool.
  3. 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Mobile Handsets Becoming A 'Smoking Gun' Source: http://www.darkreading.com/ Rise in mobile devices in the enterprise adds new challenges to incident response Dec 01, 2008 | 02:42 PM By Kelly Jackson Higgins DarkReading You have to be fast when seizing a mobile handheld device in the wake of a security breach -- a dead battery or still-live signal could wipe out or taint the evidence stored on it. As handheld devices gain more data features and storage, they also are increasingly becoming a smoking gun in an enterprise data breach, especially when it comes to the insider threat, security experts say. But getting hold of these devices and freezing the evidence on them isn't so easy. "The biggest data breach [with handhelds] today is probably lost or stolen handhelds," says Randy Abrams, director of technical education at Eset. "The fact that many of these devices support MicroSD card of at least 2 gigabytes of capacity makes them extremely agile for transporting data. Insiders have no problem copying large amounts of data from a PC to their smartphone. Even if the possession of the data is legitimate, a lost device with unencrypted data can be a gold mine for the finder." But the evidence on the devices can be easily lost or tainted. Amber Schroader, president and founder of Paraben, says the key is to maintain power on the device and protect it from any changes that could contaminate the evidence on it. "You can put aluminum foil around it to make sure the signal is blocked" or put a Faraday cage around it to protect the evidence, she said during a presentation at the recent CSI 2008 conference. The first responder to a handheld device could have less than a minute to properly seize and contain one of these "volatile" devices, she says. If the battery dies, so does the forensics data that was on a Windows Mobile device, for instance, Schroader said. "Every three days a new digital device goes into the consumer market," she said, and there aren't enough forensic examiners to keep up with them.
  4. 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Electronic Evidence • First Responder • Role of the First Responder • Electronic Devices: Types and Collecting Potential Evidence • First Responder Toolkit • Evidence Collecting Tools and Equipment • First Responder Procedures • Securing and Evaluating Electronic Crime Scene • Conducting Preliminary Interviews • Documenting Electronic Crime Scene • Collecting and Preserving Electronic Evidence • Packaging Electronic Evidence • Transporting Electronic Evidence • Reporting the Crime Scene • First Responder Common Mistakes This module will familiarize you with:
  5. 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Securing and Evaluating Electronic Crime Scene Collecting and Preserving Electronic Evidence Documenting Electronic Crime Scene Reporting the Crime Scene Transporting Electronic Evidence Packaging Electronic Evidence Conducting Preliminary Interviews First Responder Common Mistakes First ResponderElectronic Evidence First Responder Procedures Role of First Responder Evidence Collecting Tools and Equipment Electronic Devices: Types and Collecting Potential Evidence First Responder Toolkit
  6. 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Evidence • It is hidden, similar to fingerprint evidence or DNA evidence • It can be broken, altered, damaged, or destroyed by improper handling • It expires within a pre-set time Properties of the electronic evidence: “Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device”
  7. 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder First responder is a person who arrives first at the crime scene and accesses the victim’s computer system after the incident He may be network administrator, law enforcement officer, or investigation officer He is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene
  8. 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles of First Responder Identifying the crime scene Protecting the crime scene Preserving temporary and fragile evidence Collecting the complete information about the incident Documenting all the findings Packaging and transporting the electronic evidence
  9. 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence • Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape Computer systems: • To collect the evidence, check text , picture, video, multimedia, database, and computer program files Hard drive: • To collect the evidence, check text, graphics, image, and picture files Thumb drive: • To collect the evidence, check event logs, chat logs, test file, image file, picture file, and browsing history of Internet Memory card:
  10. 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found by recognizing or verifying the information of the card with the user, level of access, configurations, permissions, and in the device itself Smart card, dongle, and biometric scanner: • Evidence is found in voice recordings such as deleted messages, last number called, memo, phone numbers, and tapes Answering machine: • Evidence is found in images, removable cartridges, video, sound, time, and date stamp Digital camera: • To collect the evidence, check address information, text messages, e-mail, voice messages, and phone numbers Pager:
  11. 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found in address book, appointment calendars or information, documents, and e-mail Personal digital assistants: • Evidence is found through usage logs, time and date information, and network identity information Printer: • Evidence is found in the devices themselves Removable storage devices tape, CD, DVD, floppy: • Evidence is found through names, phone numbers, caller identification , information, and appointment information Telephones: • Evidence is found on the device itself Modem:
  12. 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found through names, phone numbers, caller identification, information, and appointment information Scanner: • Evidence is found in documents, user usage logs, and time and date stamps Copiers: • Evidence is found through card’s expiration date, user’s address, credit card numbers, and user’s name Credit Card Skimmers: • Evidence in found through address book, notes, appointment calendars, phone numbers, and emails Digital Watches: • Evidence is found through documents, phone numbers, film cartridge, and send or receive logs Facsimile (Fax) Machines:
  13. 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Toolkit
  14. 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Toolkit First responder toolkit is a set of tested tools which helps first responder in collecting genuine and presentable evidence It helps first responder to understand the limitations and capabilities of electronic evidence at the time of collection
  15. 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a First Responder Toolkit • Choose the related operating system • Completely sanitize the forensics computer • Install the operating system and required software • Update and patch the forensics computer • Install a file integrity monitor to test the integrity of the file system Create a trusted forensic computer or testbed by: • Version name and type of the operating system • Name and types of different software • Name and types of the installed hardware Document the details of the forensics computer with:
  16. 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a First Responder Toolkit (cont’d) • It helps the first responder to understand how a tool works • The summary comprises of: • Acquisition of the tool • Detailed description of the tool • Working of the tool • Tool dependencies and the system affects Document the summary of the collected tools: • Test the collected tools on the forensics computer and examine the performance and output • Examine the affects of the tool on the forensics computer Test the tools:
  17. 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collecting Tools and Equipment Documentation Tools: • Cable tags • Indelible felt tip markers • Stick-on labels Disassembly and Removal Tools: • Flat-blade and Philips-type screwdrivers • Hex-nut drivers • Needle-nose pliers • Secure-bit drivers • Small tweezers • Specialized screwdrivers • Standard pliers • Star-type nut drivers • Wire cutter Departments should have general crime scene processing tools (e.g., cameras, notepads, sketchpads, evidence forms, crime scene tape, and markers)
  18. 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Antistatic bags • Antistatic bubble wrap • Cable ties • Evidence bags • Evidence tape • Label tag • Tape • Packing materials • Sturdy boxes of various sizes Package and Transport Supplies: • Gloves • Hand truck • Magnifying glass • Printer paper • Seizure disk • Unused floppy diskettes Other Tools: Evidence Collecting Tools and Equipment (cont’d)
  19. 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collecting Tools and Equipment (cont’d) • Licensed software • Bootable CD • External hard drives • Network cables Notebook Computers: • DIBS® Mobile Forensic Workstation • AccessData's Ultimate Toolkit • TEEL Technologies SIM tools Software Tools: • Paraben Forensics Hardware • Digital Intelligence Forensic Hardware • Tableau Hardware Accelerator • Wiebetech forensics hardware tools • Logicube forensics hardware tools Hardware Tools:
  20. 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response Basics
  21. 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response Rule Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information Any attempts to retrieve data by unqualified individuals should be avoided as these attempts could either compromise the integrity of the files or result in files being inadmissible in legal or administrative proceedings
  22. 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response: Different Situations The three groups are: • System administrators • Local managers or other non-forensic staff • Laboratory forensic staff First response to an incident may involve three different groups of people, and each will have differing skills and need to carry out differing tasks based on the incident
  23. 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response for System Administrators The actions taken by the system administrator after discovery of a potential computer violation will play a vital role in the investigation Once an incident has been discovered by a system administrator, they must report it according to the current organisational incident reporting procedures The systems administrator should then not touch the system unless directed to by either the incident or duty manager or one of the forensic analysts assigned to the case
  24. 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Non-Laboratory Staff To secure the scene and ensure that it is maintained in a secure state until the Forensic Team advises Make notes about the scene that will eventually be handed over to the Forensic Team The whole area surrounding a suspect computer and not just the computer itself is the incident scene
  25. 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Laboratory Forensic Staff • Search warrant for search and seizure • Plan for search and seizure • Conduct the initial search of the scene • Health and safety issues 1: Securing and evaluating electronic crime scene • Ask questions • Check the consent issues • Witness signatures • Initial interviews 2: Conducting preliminary interviews First response by laboratory forensic staff involves six stages:
  26. 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Laboratory Forensic Staff (cont’d) • Photographing the scene • Sketching the scene 3: Documenting electronic crime scene • Evidence collection • Exhibit numbering • Dealing with powered OFF/ON computers at the seizure time • Seizing portable computers 4: Collecting and preserving electronic evidence 5: Packaging electronic evidence • Handling and transportation to the Forensic Laboratory • Ensure the ‘Chain of custody’ is strictly followed 6: Transporting electronic evidence
  27. 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene
  28. 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene: A Check-list Follow the policies of legal authority for securing the crime scene Verify the type of the incident Make sure that the scene is safe for you and for other responders Isolate other persons who are present at the scene Locate and help the victim Verify the data related to offenders Transmit additional flash messages to other responding units Request for additional help at the scene if needed Establish a security perimeter to see that the offenders still exist in the crime scene area
  29. 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene: A Check-list (cont’d) Protect the evidence that is at risk of being lost or signed as agreement Protect perishable data (e.g. pagers and Caller ID boxes) physically and electronically Make sure that the devices that contain perishable data is secured, documented, and/or photographed Recognize the telephone lines that are connected to devices such as modems and caller ID boxes Document, disconnect, and label telephone lines or network cables Observe the situation at the scene and record those observations Protect physical evidence or hidden fingerprints that is found on keyboards, mouse, diskettes, and CDs
  30. 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing the Crime Scene
  31. 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Warrant for Search and Seizure • Electronic storage device search warrant allows first responder to search and seize the victim’s computer components (such as: Hardware, Software, storage devices, and documentation) Electronic storage device search warrant • Service provider search warrant allows the first responder to get the victim’s computer information (such as: service records, billing records, subscriber information) from the service provider Service provider search warrant Search warrant allows the first responder to perform the search and seizure of the electronic evidence that are mentioned in the search warrant Search warrants for electronic devices basically focus on the following:
  32. 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Planning the Search and Seizure • Description of the incident • Incident manager running the incident • Case name/title for the incident • Location of the incident • Applicable jurisdiction and relevant legislation • Location of the equipment to be seized: • Structure’s type and size • Where are the computer(s) located (all in one place, spread across the building or floors) • Who will be present at the incident? • Is there a friendly atmosphere at the location? A search and seizure plan contains the following details:
  33. 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Planning the Search and Seizure (cont’d) Details of what is to be seized (make, model, location, ID etc.): • Type of the device & number to be seized • Will the computing be running at seizure or will they be shut down • Are they networked • If so, what type of network, where is data stored on the network, where are the backups held, is the system administrator a ‘friendly’ person, will it be necessary to take the server down and what is the business impact of this action Search and seizure type (overt / covert) Local management involvement
  34. 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Initial Search of the Scene Isolate of a computer system (workstation, stand alone, or network server) and other media devices that can contain digital evidence Include search and seizure evidence log which contain brief descriptions of all computers, devices or media located during the search for evidence Make a note of the locations on the crime scene sketch as well Photograph and sketch the crime scene, along with a detailed accounting of all computer evidence
  35. 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Health and Safety Issues It is important to consider the health and safety factors in the work carried out at all stages of the forensic process conducted by the forensic analysts All forensic teams should wear protective latex gloves for searching and seizing operations on site This is to protect both the staff and preserve any fingerprints that may be required to be recovered at a later date
  36. 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Preliminary Interviews
  37. 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Questions to ask When Client Calls the Forensic Investigator Description of the incident Incident manager running the incident Case name / title for the incident Location of the incident What jurisdiction the case and/or seizure is to be performed under Details of what is to be seized (make, model, location, ID etc.) Other work to be performed at the scene (e.g. full search, evidence required, etc.) Whether the search and seizure is to be overt or covert and whether local management should know
  38. 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Consent There are times that the user is present and that consent from the user of the hardware is required and also consent is given In cases such as this, appropriate forms for the jurisdiction should be used and carried in the grab bag
  39. 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample of Consent Search Form
  40. 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Signatures Depending on the legislation of the jurisdiction, a signature (or two) may or may not be required to certify collection of evidence Typically, where one signature is required, the Forensic Analyst or Law Enforcement Officer performs the seizure Where two signatures are required, guidance should be sought to determine whose second signature should be taken into consideration Whoever signs as witness, needs clear understanding of their role and may be required to provide a witness statement or attend court
  41. 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Preliminary Interviews Interview separately and identify all persons (witnesses and others) available at the scene and record their location at the time of entry Be consistent with the departmental policies and applicable laws, and collect information from individuals like: • Owners and/or users of electronic devices found at the scene • User names and Internet service provider • Passwords required to access the system, software, or data • Purpose of using the system • Unique security schemes or destructive devices • Any offsite data storage • Documents explaining the hardware or software installed on the system
  42. 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Initial Interviews If the suspect is present at the search and seizure time, the Incident Manager or the Laboratory Manager may consider asking some questions to the suspect, but these must comply with the relevant Human Resources or legislative guidelines for the jurisdiction At initial interviews, the suspect often has little time to concoct any alibis etc, and often when asked questions, they answer truthfully even to such questions like ‘what are the passwords for the account’
  43. 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Initial Interviews (cont’d) An individual who has physical possession of a piece of evidence is responsible for its security Evidence should be secured in such a manner that only the individual who has signed for it can gain access to it, though it is noted that this is not always possible Typical questions could include: • Are there any keys – some computer cases have physical key locks • What are the user IDs and passwords for the computer? • What email addresses are used and what are the user IDs and passwords for them?
  44. 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Statement Checklist
  45. 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Statement Checklist (cont’d)
  46. 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting the Electronic Crime Scene
  47. 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting Electronic Crime Scene Documentation of the scene creates an unchanging historical record of the scene Document the physical scene, such as the position of the mouse and the location of components near the system Document related electronic components that are difficult to find Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer Take a photograph of the computer’s screen and write notes on what you have seen on the screen
  48. 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Photographing the Scene Photographing a scene should be the first step taken by the Forensic Team on arrival Photographing of the crime scene should be done in a manner not to alter or damage the scene The ideal situation is to first take several photographs that will establish the location of the scene, followed by an entry photograph, followed by a series of ‘360 degree’ photographs ‘360 degree’ photographs are simply overlapping photographs depicting the entire crime scene The key to remember in crime scene photography is to go from the overall scene down to the smallest piece of evidence
  49. 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Photographing the Scene (cont’d) Photographs should also be taken of the immediate work area to include computer disks, handwritten notes, and other computer equipment (printers and external drives) Photographs should also be taken of the rear of the computer to accurately display how the leads are connected If this cannot be done, then all cables must be labelled and the PC reconnected back at the Forensic Laboratory should be photographed
  50. 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sketching the Scene A crime scene sketch should be prepared which details the overall scene This should include the locations of items within the office area Again, the rule of thumb for crime scene sketching is to go from the overall scene to the smallest piece of evidence This may require several sketches to accurately depict the scene
  51. 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Video Shooting the Crime Scene
  52. 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  53. 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence When an incident is reported where a computer is assumed to be a part of the incident, it is often the case that this is the first and only item sized. This is wrong. The scene should be searched in a circular motion with the concept of the computer being at the centre of the circle Items of evidence, as located, should be photographed, identified within notes and then collected Evidence should be identified, recorded, seized bagged, and tagged on site with no attempts to determine contents or status
  54. 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Order of Volatility When collecting evidence, the collection should proceed from the most volatile to the least volatile. The list below is the order of volatility for a typical system: • Registers, cache • Routing table, process table, kernel statistics, and memory • Temporary file systems • Disk or other storage media • Remote logging and monitoring data that is relevant to the system in question • Physical configuration, network topology • Archival media
  55. 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Powered OFF Computers at Seizure Time If equipment is switched OFF – leave it OFF
  56. 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Powered ON Computers The first step to take when approaching an active, powered on, and running computer is: • STOP and THINK • The contents of RAM in an active computer system undoubtedly hold some information and occasionally this can be important to a case • For example, data which is likely to be found encrypted on a disk might be found in an unencrypted state in memory, or a running process might need to be identified and examined before power is removed • Any such information in memory will be lost when the power supply to the device is removed
  57. 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with a Powered ON Computers (cont’d) If a computer is switched on and the screen is viewable, then the following must be done: • Record the programs running on screen • Photograph the screen
  58. 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Networked Computer Unplug the network cable from the router and modem If computer is off, leave it off If the computer is ON, photograph the screen If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen Label all the connected devices and cords for later identification Unplug all the cords and devices connected to the computer
  59. 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Open Files and Startup Files • Open the recently created document from startup or system32 folder for Window and rc.local file for Linux • Note down the date and time of the files • Examine the open file for sensitive data such as password, image etc. • Search for unusual MAC times on vital folders and startup files Follow the listed procedures to find the evidence: Malware attacks on the computer system create some files in the startup folder to run the malware program
  60. 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Operating System Shutdown Procedure • Take a photograph of the screen • If any program is running, give a brief explanation • Unplug the power cord from the wall socket MS DOS/Windows 3.X/NT 3.51/95/98/NT 4.0 operating system: It is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files Different operating systems have different shut down procedures
  61. 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Operating System Shutdown Procedure (cont’d) • Right click Menu -> click Console • If root user’s prompt is set to #sign mode: • Enter the password if available and type sync;sync;halt to shutdown the system • If password is not available, unplug the power cord from the wall socket • If it is set to console #sign mode: • Enter the user ‘s ID and press Enter • If the user‘s ID is root, type sync;sync;halt to shutdown the system • If user’s ID is not root, unplug the power cord from the wall socket UNIX/Linux Operating Systems • Record time from the menu bar • Click Special -> Shutdown • Unplug the power cord from the wall socket MacOS Operating System
  62. 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computers and Servers Photograph the computer and ancillary (connected) equipment Photograph the connectors behind the computer and individually label them Record the cables and the respective ports to which they are connected Seal the power socket with tape to prevent inadvertent use Disconnect the monitor, keyboard, mouse, and CPU
  63. 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Electronic Evidence Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals Take a photo of the monitor screen if the computer is in “on” state Photograph the connections of the computer and the corresponding cables and label them individually If any electronic devices such as PDA, cell phone are present, take a photograph, label the device and collect all the cables, and transport them along with the device
  64. 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Seizing Portable Computers Photograph the portable and ancillary (connected) equipment Photograph the connectors in the back of the portable and individually label them Record which cables are connected to what ports in the portable Remove the battery
  65. 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Switched ON Portables Portables with their power on should be handled in the same way as a powered on PC The date and time when the portable "wakes up" must be recorded Prior to pulling the power on a portable, the battery must be removed If it is not possible to remove the battery, pressing down on the power on/off switch for 30 seconds or so will force a hard power off
  66. 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  67. 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  68. 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  69. 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  70. 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging and Transporting Electronic Evidence
  71. 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Bag Contents List The panel on the front of evidence bags must be filled in with at least the following details: Date and time of seizure Seized by whom Exhibit number Seized from which place Details of the contents of the evidence bag
  72. 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging Electronic Evidence Make sure that the collected electronic evidence is properly documented, labeled, and listed before packaging Focus on hidden or trace evidence and take necessary actions to preserve it Pack the magnetic media in antistatic packaging Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives Make sure that all the containers that hold the evidence is labeled in an appropriate way
  73. 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging Electronic Evidence
  74. 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exhibit Numbering • aaa/ddmmyy/nnnn/zz • Where, • aaa are the initials of the Forensic Analyst or Law Enforcement Officer seizing the equipment • dd/mm/yy is the date of the seizure • nnnn is the sequential number of the exhibits seized by aaa- starting with 001 and going to nnnn • zz is the sequence number for parts of the same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ – the Monitor, ‘C’ – the keyboard etc.) All evidence collected should be marked as exhibits using this format:
  75. 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Transporting Electronic Evidence Keep electronic evidence away from magnetic sources while transporting Store the evidence in a secure area that is away from high temperature and humidity Avoid storing electronic evidence in vehicles for a longer period Make sure that computers and other electronic components are not packed in containers Maintain the chain of custody on the evidence that is to be transported
  76. 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling and Transportation to the Forensics Laboratory Avoid turning the computer upside down or laying it on its side during transport When transporting a computer or other computer devices, they should not be placed in a car trunk or any other area where there is the possibility of possible dramatic temperature and humidity changes In a vehicle, the ideal place for transport would be on the rear seat, placed in a manner where the computer will not fall if break is applied suddenly or quick maneuver All evidence must avoid any sources of magnetism or similar sources of power that could affect the integrity of the electronic evidence
  77. 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Storing Electronic Evidence Ensure that the electronic evidence is listed in accordance with the departmental policies Store the electronic evidence in a secure area and weather controlled environment Protect the electronic evidence from magnetic field, dust, vibration, and other factor that may damage the integrity of the electronic evidence
  78. 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody ‘Chain of Custody’ refers to a written account of individuals who had the sole physical custody of a piece of evidence from the time it was seized until the end of the case By becoming a ‘link’ in the ‘Chain of Custody’ and taking possession for a piece of evidence, an individual has the responsibility to secure it in a manner which can later stand legal scrutiny in case that there is a claim of evidence tampering
  79. 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody (cont’d) • Case number • Name and title from whom received • Address and telephone number • Location from where the evidence is obtained • Date/time of evidence • Item number/quantity/description of items It contains the following information: Chain of custody document contains the complete information about the obtained evidence
  80. 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Simple Format of the Chain of Custody Document
  81. 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form
  82. 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form (cont’d) Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No
  83. 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form (cont’d)
  84. 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody on Property Evidence Envelope or Bag
  85. 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Property Sign- out Sheet
  86. 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Reporting the Crime Scene • Date and time of the crime • Model, size, and partition of the hard disk to find hidden or missing data • Name and version of the operating system running on the victim’s computer • Result of the program such as DOS ScanDisk or DOC ChkDisk to find the accuracy of any data found • Result of the virus scanning process • Software present on the victim’s computer • List of files stored on the victim’s computer with creation and updating time • Name and version of the software used in the processing of computer evidence • Name of the interviewed person and his views The report should include: First responder creates a final report after completing the forensics process that contains complete information of the forensics process
  87. 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Note Taking Checklist Crime Scene Checklist Crime Scene Checklist
  88. 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Note Taking Checklist (cont’d) Crime Scene Checklist Crime Scene Checklist
  89. 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Common Mistakes Most of the time, system or network administrator work as a first responder at the crime scene They cannot handle the security incidents in a proper way because they do not know the first responder procedure Common mistakes committed by the first responder are as follows: • Shutting down or rebooting the victim’s computer • Assuming that some components of the victim’s computer may be reliable and usable • Not having access to baseline documentation about the victim computer • Not documenting the data collection process
  90. 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device There are times that the user is present and that consent from the user of the hardware is required and also consent is given Documentation of the scene creates an unchanging historical record of the scene The ‘Chain of Custody’ refers to a written account of individuals who had sole physical custody of a piece of evidence from the time it was seized until the end of the case
  91. 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  92. 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

×