File000163
Upcoming SlideShare
Loading in...5
×
 

File000163

on

  • 41 views

 

Statistics

Views

Total Views
41
Views on SlideShare
40
Embed Views
1

Actions

Likes
0
Downloads
2
Comments
0

1 Embed 1

http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    File000163 File000163 Presentation Transcript

    • Module L - Investigative Reports
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Dubai Fund Boss Faces Investigation-Reports Source: http://www.reuters.com/
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Market Investigation Report on China’s Tyre Industry, 2008 out Now Source: http://www.marketwatch.com/
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Need of an investigative report • Report specifications • Report classification • Layout of an investigative report • Guidelines for writing a report • Use of the supporting material • Importance of consistency • Salient features of a good report • Investigative report format • Sample forensic report • Best Practices for Investigators • Writing report using FTK This module will familiarize you with:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Report Specifications Layout of an Investigative Report Importance of Consistency Need of an Investigative Report Investigative Report Format Salient features of a good Report Guidelines for Writing a Report Use of Supporting Material Report Classification Sample Forensic Report Best practices for Investigators Writing Report using FTK
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensic Report • Explain how the incident occurred • Be technically sound and clear to understand • Be properly formatted with page and paragraph numbers for easy referencing • Provide unambiguous conclusions, opinions, and recommendations supported by figures and facts • Adhere to local laws of land to be admissible in courts • Be submitted in a timely manner Investigative report should: Computer forensic report provides detailed information on complete computer forensics investigation process
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Report Template Objectives Date and time the incident allegedly occurred Date and time the incident was reported to agency personnel Name of the person or persons reporting the incident Date and time the investigation was assigned Nature of claim and information provided to the investigator Location of evidence • Case Number • Name and social security number of the author, investigators, and examiners • Why was the investigation undertaken? • List significant findings • Signatures analysis Summary
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computer Forensics Report Template (cont’d) List of the collected evidences Collection of evidence Preservation of evidence Initial evaluation of the evidence Investigative techniques Analysis of the computer evidence Relevant findings Supporting expert opinion • Attacker methodology • User applications • Internet activity • Recommendations Other supporting details:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Report Format Specifications PDF is the preferred format for digital reports Do not file a report directly with the court Definition of goal or mission is must Order of writing should match the development of the case Use of outline or arrangement is suggested Keep a copy of the report
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Report Classification • A structured verbal report delivered to a board of directors/managers/panel of jury under oath Verbal formal report • A verbal report that is less structured than a formal report and is delivered in person, usually in an attorney’s office or police station Verbal informal report • A written report sworn under oath, such as an affidavit or declaration Written formal report • An informal or preliminary report in written form Written informal report
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Layout of an Investigative Report • Decimal numbering system • Legal-sequential numbering system You can choose the numbering structure from two layout systems: • To clearly communicate the information • To draw the reader’s attention to a point Include signposts: Present the text accurately Maintain a proper document style throughout the text
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Layout of an Investigative Report (cont’d) • Figures, tables, data, and equations Provide supporting material • How you have studied the problem Explain methods Include data collection
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Layout of an Investigative Report: Numbering • Divides the text into sections • Readers can scan the heading • Readers can identify how the parts relate to each other Decimal numbering structure • Used in pleadings • Roman numerals represent major aspects • Arabic numbers are supporting information Legal-sequential numbering
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Guidelines for Writing a Report Avoid jargon, slang, or colloquial terms Define acronyms and abbreviations Check for grammar and spellings Writing should be concise Do not make any assumptions Do not identify any leads Double-check media findings Write theoretical questions based on factual evidence Report must support your opinion Write opinions based on knowledge and experience
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use of Supporting Material Use figures, tables, data, and equation as a supporting material Number figures and tables in the same order as they are introduced in the report Provide captions with complete information Insert figures and tables after the paragraph
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Importance of Consistency The sections in the report format must be adjusted in the same way Consistency is more important than exact format in report Establish a template for writing report
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Salient Features of a Good Report Explains methods of investigations Data collection Includes calculations Provides for uncertainty and error analysis Explains results Discusses results and conclusions Provides references Includes appendices Provides acknowledgements
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Aspects of a Good Report A good report achieves the purpose by answering the questions that were set out in mandate for investigator It is designed to meet the needs of the decision-maker A decision-maker must rely on the facts that were presented in the report The facts must be based on the evidence in the file It must be clear and written in a neutral language so that the decision-maker and other readers will be able to understands it It should be concise and must convey the necessary information It should be structured in such a way so that information can be located easily
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigative Report Format Get samples of already established report format Estimate objectivity Document the findings in an unbiased and accurate manner Address the identification and continuity of the evidence Include any relevant extracts referred to the report that supports analysis or conclusions
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Attachments and Appendices Use attachments or appendices as a supplement to the report Attachments and appendices can be used to further detail any terminology, findings, or recommendations presented in the report You can provide the reference to attachments or appendices when the report has more content
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Include Metadata • System metadata can be used to identify the change in file location • Application metadata can be used to identify the change in document author, document version, macros, email “to,” “from,” “subject,” etc Two types of file metadata can be used in the forensic investigation: Metadata is information about the file which includes who created a file and time/date stamps The significance of metadata is based on the properties of the file type During analysis, the expert needs to work with the mirror image to avoid altering metadata
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Signature Analysis Signature analysis verifies file signature to know whether any files have been renamed It identifies the difference between a file extension and the file header It can be used for making hash sets for file filtering
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Forensic Report • Investigation • Concise summary of conclusions • Observations • All appropriate recommendations The report identifies the continuity of the information and describes the procedures utilized during:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Report (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigation Procedures General evidence • The date and time the investigator visited the site of the incident • The person with whom the investigator spoke with at that site Collecting physical and demonstrative evidence Testimonial evidence
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Physical and Demonstrative Evidence The manner in which the scene of the incident, if any, was secured A list of each piece of physical evidence that was collected The manner in which the physical evidence was collected and logged The manner in which the physical evidence was preserved after collection in order to maintain the chain of custody A list of any pictures, which were taken A list of any other demonstrative evidence available to the investigation, e.g. diagrams, maps, floor plans, and x-rays
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting Testimonial Evidence The way in which the investigator determined whom to interview A list of all persons interviewed in chronological order, including title, date, and time of each interview The person or persons, if any, as the target or targets of the case The way in which the investigator afforded the target or other witnesses any right to representation, if such rights exist by labor contract, law, or regulation Interviews without the writer’s statement
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Do’s and Don'ts of Forensic Computer Investigations Ask questions Document thoroughly Operate in good faith Do not get in over your head Make the decision to investigate Treat everything as confidential File it
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Case Report Writing and Documentation Document the entire computer media analysis and conclusions in the "Investigative Analysis Report” Identify any files pertinent to the investigation and print them for inclusion as attachments to the analysis report
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Create a Report to Attach to the Media Analysis Worksheet • Date and time of the evidence CPU • Current date and time (include appropriate time zone) • Significant problems/broken items • Lapses in analysis • Finding evidence • Special techniques required beyond normal processes (e.g., password cracker) • Outside sources (e.g., commercial companies that provide assistance and information by trained CCIs over Computer Forensic Investigators) Keep notes on:
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Best Practices for Investigators Before submitting the report, read it again • It gives a clear view of where you need to make changes Anyone new to the situation should be able to understand the report While revising the report, ensure that it is coherent, not repetitive, and presents information in right place Ensure that the report corresponds to mandate
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK (cont’d)
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Writing Report Using FTK (cont’d) Final Report
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Investigative Reports are critical during investigations because they communicate computer forensics findings and other information to the necessary authorities Reports can be formal or informal, verbal, or written Reports need to be error free Avoid jargons, slangs, or colloquial terms
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
    • EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited