SlideShare a Scribd company logo

Chap 2 computer forensics investigation

Download as PPTX, PDF
M
Malobe Lottin Cyrille Marcel

Investigation interviews are an important part of digital forensic investigations but require experience to obtain confessions. Before starting interviews, investigators must thoroughly research the facts of the case and background information on interview subjects. During interviews, investigators should carefully question subjects while following proper methodology and recording all discussions to maintain legal defensibility.

Engineering
1 of 48
COMPUTER FORENSICS Chap 2- COMPUTER FORENSICS AND FRAUD INVESTIGATIONS By MALOBE LOTTIN CYRILLE M Network and Telecommunication Engineer PhD Student Contact: +237 243004411 / 695654002 Email: malobecyrille.marcel@ictuniversity.org Computer Forensic Science © Copyright 2020
CONTENT • Introduction • Overview of a Computer Crime • Digital Investigation Triad • Initiating Computer crimes investigations • Some investigations procedures in Corporate environment: - Employee termination case :Internet abuse - Employee termination case :Email abuse - Attorney-Client Privilege investigation (ACP) case - Media Leak investigations case • Initiating Interviews in Digital Forensics Investigations • Interview Methodology • Investigation Interview Recording • Investigating a Computer Crime Scene: Electronic devices (Type and Potential evidence) • Conducting the Investigation on an item • Precautions to take during Investigation • The copying Process • Finalizing the investigation Case • Conclusion Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
INTRODUCTION • Digital forensics investigation of a Computer is a unique process that comes with so many challenges:(Understand how computers manipulates bits values - 0 and 1, mastering operating systems, computer hardware, network operation, etc.) • Investigation is the act or process of investigating or the condition of being investigated. • Computer investigation is about conducting systematic search of digital evidence where data are collected in the most secured and efficient manner. • Forensics professionals gather evidence to prove that a suspect committed a crime or violated a company policy. • Remember: Digital Forensics is not Data recovery • The success of an investigation operation relies on how good we understand what we are looking for and how efficient we are in the process of looking for it. • Investigation of digital devices generally includes:  COLLECTING DATA SECURELY  OBSERVATION AND EXAMINATION OF SUSPECTED DATA  PRESENTATION OF COLLECTED DATA REPRESENTED AS DIGITAL INFORMATION TO COURTS  MAKING USE OF LAWS RELATED DIGITAL EVIDENCE PRACTICES • Action of conducting a computer investigation therefore require to follow an accepted procedure • A good case is ensured based on the validity of the Chain of evidence and Chain of Custody Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
OVERVIEW OF A COMPUTER CRIME How do we characterize a crime as “ COMPUTER CRIME” ? • Computer is used as instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. • Four major categories of computer crimes:  Internal Computer crimes: trojan horses, logic bombs, trap doors, worms, and viruses  Telecommunication related crimes: phreaking and hacking  Computer manipulation crimes that result in embezzlement and fraud: used of computer to manipulate financial statement  Traditional thefts of hardware and software - UP to NOW: Slow implementation / adoption of Laws related to computer crimes by governments. Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
SO, majors perpetrators of computer crimes includes: • Hackers. • Crackers. • Malicious insider. • Industrial spies. • Cybercriminals. • Hacktivist. • Cyber terrorists. Computer crimes today are so prevalent because: - Complexity of systems  drop in the mastering of the computer and network environment - Poor implementation of security policies - Rapid technological advancements - Slow /delay in getting soft and hardware fixes (repairs) - Better mastering of physical crimes  push criminal to try other means OVERVIEW OF A COMPUTER CRIME (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• Computer crime includes cases in which the computer is the tool, the target, or is incidental to the offense. Practical case example “In a recent case where a computer was used as a tool in the Crime, SEARCH assisted the Long Beach (California) Police Department with the forensic examination of two seized microcomputers. The computers were allegedly used by a gang involved in a payroll check counterfeiting operation that resulted in the loss of millions of dollars to two major banking institutions. The suspects used computer imaging technology and high-resolution scanners and printers to replicate payroll checks”. (kelly, 1995) • It means computers crimes contain information that helps law enforcement determine : - chain of events leading to a crime, - Evidence that can lead to a conviction. Note: Digital evidence can easily be altered by a careless investigator. Be mindful to respect procedures ! OVERVIEW OF A COMPUTER CRIME ( Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Digital investigation Triad • Investigators in charge of Forensics often work as a team Known as the investigation Triad. Source: Retrieved from https://doi.org/10.1016/j.diin.2015.07.004
Digital investigation Triad (Cont…) Forensics Investigation need to be conducted with CIA principle in mind. The integrity of Data must be preserve, making the discovery confidential much as possible and available accordingly to how it will be presented and accepted in Court. The digital Forensics Triad is made of Three Main Pillars:  VULNERABILITIES/Threat Assessment and Risk Management: consist of activity such as testing and verifying the integrity of stand-along Workstations and network servers  Network Intrusion Detection and Incidence response: Detects intruders attacks with automated tools and monitoring network firewall logs  Digital investigations: properly managed investigation and launching of forensics analysis of any system suspected to contain potential evidence. The CIA triad Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Initiating Computer crimes investigation What should be the behavior of Investigators towards evidences of the crime scene ? • Handling electronic evidence at the crime scene during investigation consist of: ◆ Recognition and identification of the evidence. ◆ Documentation of the crime scene. ◆ Collection and preservation of the evidence. ◆ Packaging and transportation of the evidence. Prior to these steps • Necessary legal authority to search for and seize the suspected evidence must be obtained • The crime scene must be secured and documented (photographically and/or by sketch or notes). • Must use Crime scene protective equipment (gloves, etc.) Note: Always remember to consult your local prosecutor before accessing stored data on a device. Because of the fragile nature of electronic evidence, examination should be done by appropriate personnel. Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
What are the considerations when planning for an investigation ? A basic investigation plan therefore consist of:  Acquiring the evidence Preparing an evidence form and establishment of a chain of custody Transportation of the evidence to a computer forensics lab Placing the evidence in a secure environment ( Container) Preparing a forensics workstation Obtaining the evidence from the secure milieu where it was placed Making a forensic copy of the evidence Returning the evidence in the secure milieu Processing of the copied evidence with the use of computer forensics tools Initiating Computer crimes investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Notes: • Evidence custody form document will help in documenting what has been done with the original evidence and his forensics copies • The single evidence form will list each piece of evidence in a separate page. The Multi-evidence form will be use otherwise • The evidence bags should be used to catalogue the evidences. • Preferably, products used should be safe (use anti-static bags, etc.) • Use well padded containers • All openings should be seal with a tape ( floppy disk, Power supply cord, etc.) • Write your initial on tape to prove that evidence has not been tampered with Initiating Computer crimes investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Presentation of some important investigation forms Initiating Computer crimes investigation(Cont…) • Chain of evidence Form (Form that details all evidence collected with their specifications) • Chain of custody form (form that details how the evidence was handled every step of the way) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• Multi-evidence form • Single -evidence form Initiating Computer crimes investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Investigating an Employee Termination case • Most of investigations for termination cases involve employee abuse for corporate assets. • Also, issues such as harassment, visiting prohibited websites while at work • Harassment case: people have to leave their work  resulting in significant cost on both side ( employee and employer) Consequence - lost of productivity - retraining need of new staff - Wrongful termination lawsuits - Impact on company culture, workplace morale, brand reputation affected So… Need to conduct investigation on allegations and report to internal stakeholders for appropriate action to be taken Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Investigating Termination based on Internet abuse • Need to: Access organization’s internet proxy logs Suspect computer’s IP addresses Suspect computer’s disk drive And make use of your most reliable computer forensics tools Steps to take will therefore involve: Making use of standard forensics analysis techniques and procedures Using appropriate tools to extract all web page URL information ( example: Magnet.AI tool) Contacting the network administrator and request a proxy server log Comparing the data recovered from forensic analysis to the proxy server log And, proceed with the analysis of the computer disk drive data Investigating an Employee Termination case (Cont…)
Investigating Termination based on E-mail abuse Need to: Acquire an electronic copy of the offending e-mail that contains message header data  also, if possible, acquire email server logs records - if the e-mail system store user’s messages on a central server, get access to that server Gain access to the computer for you to conduct forensics analysis on it Then, remember to always go for the most reliable forensics analysis tools Steps to take will therefore involve:  use the standard forensics analysis techniques Get an electronic copy of the suspect’s and victims e-mail folder or data  For web-based email investigations, you can use tools such as FTK’s Internet Keyword Search option to extract all related e-mail address information Examine header data of all messages of interest to the investigation Investigating an Employee Termination case (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Attorney-Client Privilege (ACP) Investigation For investigation related to ACP, one important factor You must maintain all findings confidential Also:  many attorney like to have printouts of the data you have recovered. So, there is a need to persuade and educate many attorneys on how digital evidence can be viewed electronically Remember: you may face difficulties if you find data in the form of binary files The steps involve in conducting ACP investigation are:  making a request of a memorandum from the attorney directing you to start the investigation  Requesting a list of keyword of interest to the investigation  Initiate the investigation and analysis  If there is a need to examine a disk, make two bit stream images using different tools  Compare hash signatures on all files on the original and re-created disks  Do a methodic examination of every portion of the disk drive and extract all data  Run Keyword searches on both allocated and unallocated disk space  Analyze and extract data from the registry using tools such as Registry Viewer 2.o ( Access data registry viewer) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Identify the correct software product for binary data files such as CAD drawings It is advisable to use a tool that removes or replaces non printable data for unallocated data recovery ( SIFT tool-Linux)  Consolidate all recovered data from the evidence bit-stream image into folders and subfolders Besides: - Much as required, minimize written communications with the attorney! Note: Any document to the attention of the attorney must contain a header stating “ Privileged Legal Communication-Confidential Work Product”. Always keep an open line of verbal communication. - Encryption should be use if you need to communicate via e-mail Attorney-Client Privilege (ACP) Investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
It is important to know that having a control on sensitive data can be difficult. So.. • Consider for this case to: Examine e-mail Examine Internet message boards Examine proxy server logs Examine known suspects’ workstations Examine all company telephone records, looking for calls to the media Steps to take for media leaks involve: Conduct Interview management privately to get a list of employees who have direct knowledge of the sensitive data Identify media source that published the information Review company phone records Obtain a list of keywords related to the media leak Perform keyword searches on proxy and e-mail servers Conducting a Media Leak Investigation Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Discreetly conduct forensic disk acquisitions and analysis  From the forensic disk examinations: - Analyze all e- mail correspondence And trace any sensitive messages to other people - Expand the discreet forensic disk acquisition and analysis - Consolidate and review your findings periodically - Routinely report findings to management Conducting a Media Leak Investigation (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
All suspected industrial espionage cases should be treated as criminal investigations A need to constitute a dedicated Staff made of:  Computing investigator: responsible for disk forensic examinations Technology specialist: knowledgeable of the suspected compromised technical data  Network specialist: perform log analysis and set up network sniffers Threat assessment specialist (typically an attorney) Conducting an Industrial espionage investigation Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
To conduct investigation on this type of case: • Find out whether this investigation involves a possible industrial espionage incident • Ensure to consult with corporate attorneys and upper management • Determine what information is needed to substantiate the allegation • Generate a list of keywords for disk forensics and sniffer monitoring • List and collect resources for the investigation Conducting an Industrial espionage investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• Determine goal and scope of the investigation • Initiate investigation after approval from management Planning considerations • Examine all e-mail of suspected employees • Search Internet newsgroups or message boards • Initiate physical surveillance • Examine facility physical access logs for sensitive areas Conducting an Industrial espionage investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
After implementing the above guideline, you need to Plan for your investigation • Determine suspect location in relation to the vulnerable asset • Study the suspect’s work habits • Collect all incoming and outgoing phone logs Steps • Gather all personnel assigned to the investigation and brief them on the plan • Gather resources to conduct the investigation • Place surveillance systems • Discreetly gather any additional evidence • Collect all log data from networks and e-mail servers • Report regularly to management and corporate attorneys • Review the investigation’s scope with management and corporate attorneys Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020 Conducting an Industrial espionage investigation(Cont…)
• Investigations interviews require experience. • Why ? • To easily obtain confession from a suspect is not an easy task !. • Interviews are done to collect information from a witness or suspect about specific facts related to an investigation. • A digital forensic investigator will be interested in gathering information and conducting interviews regarding computer crime, child pornography, fraud, hacking, and other digital crimes. • Before starting the interview process : - Investigators must know potential facts of the case and background information on the victim or perpetrator to be interviewed - know victims’ or perpetrators’ personal information, prior-criminal sentences, and professional status - The purpose here is to develop a methodology to create a standardized interview method and to try to build relationships and connections with interviewee. Note: There is no standard interview method. It all depends of the type of crime to investigate (fraud, hacking…) Initiating Interviews in Digital Forensics investigations Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• Therefore, Different interview techniques exist but interviews usually should try to answer simple questions such as: who, when, where, what, how, and why. • Remember: The initial interview is typically the best chance to collect basic evidence. Also, Interviewers must be patient and persistent through the interview process. • While waiting to define which technique to use for the computer-related crime: evaluate computer skills ability of the suspect to avoid being confused by perpetrators or victims who could possibly have higher computer knowledge  computer knowledge of the perpetrators should be evaluated based on other evidence  gather as much as possible details regarding the hardware and software that perpetrator was using.  Also gather details concerning the victim ( Especially if it involve a child)  besides, gather information such as: perpetrator’s user name, online profile, ISP, email account information, time of connectivity online. Chap 2- Computer Forensics Investigations, By Cyrille Lottin- 2020 Initiating Interviews in Digital Forensics investigations (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• The interview process can effectively start once information necessary for the interview is gathered. But, before you start, make ready: - Privacy Act Statement - List of official papers from interviewee - Checklist with information gathered prior the interview - List of questions - Copies of all official papers planned to show to the perpetrator or victim - the method used to record the interview Be mindful that: - Interview should be conducted in a peaceful and comfortable setting - Use personal names to relax the tension and start building a good “rapport” with the interviewee. A good relationship from start help in achieving GOOD RESULT - Don’t use a heavy-handed approach that enforces your authority ( NO NEED !) - For child case, ensure to prepare the child moral ahead of the interview - Be a good listener and observer - DO NOT COMPLETE interviewee sentences. If you don’t get it, reformulate until both are on the page - Adopt an open ended approach prior to the YES/NO format Interview Methodology Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
The following step should be taken to conduct investigations interviews: 1. Welcome the victim in a pleasant way 2. Be comfortable and friendly to calm the victim (in the case of a child victim, the interviewer must be extremely cautious not to disturb the child) 3. Introduce yourself 4. Explain to the victim the reason for the visit 5. Clarify the significance and importance of the victim’s testimony to the case 6. Check the victim’s name, current address, phone numbers, and occupation 7. Ask the victim to tell the story as a narrative 8. Do not interrupt; listen, and take brief notes very cautiously on what the victim says 9. Observe the victim’s behavior and body movement 10. Try to be emphatic to motivate the victim 11. Ask additional questions relevant to the case when the victim finishes the narrative, starting with general questions, and moving toward more specific questions 12. Ask specific questions, if child exploitation is involved, about the location of the crime, methods, and any existing computers and other devices 13. Compare the victim’s statement with other statements, if they exist 14. Review contradictions, and, if the victim is a cooperative, present them to the victim Interview Methodology (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Interview Process for the case of a Child abuse for computer related crimes – Source: (Edita Bajramović, 2014) Interview Methodology (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Investigation Interview Recording • Very important element of digital forensic investigations • NEED to be accurate • An interview record can create the foundation for investigative case management conclusions. • Interview record can be used as evidence in some jurisdictions • To determine which recording technique to use, think about: - Cost - Logistics - The possible effect on those interviewed - Any lawful requirements affecting the interview’s acceptability Interview recording techniques for computer related crimes – Source: (Edita Bajramović, 2014) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) • Electronic evidence can be found in many of the new types of electronic devices available Today. • There is a wide variety of the types of electronic devices commonly encountered in crime scenes. Remember: Many electronic devices contain memory that requires continuous power to maintain the information (battery or AC power). Data can be easily lost by unplugging the power source or allowing the battery to discharge. Note: After determining the mode of collection, collect and store the power supply adaptor or cable, if present, with the recovered device Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020 INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Computer crime scene– Source: (CHFI, 2010)
Investigating Computer Systems • Consists of a main base unit (CPU), data storage devices, a monitor, keyboard, and mouse. • may be a standalone or it may be connected to a network (laptops, desktops, tower systems, modular rack- mounted systems, microcomputers, minicomputers, supercomputers and mainframe computers). • Additional components include modems, printers, scanners, docking stations, and external data storage devices Primary use: Computation and Information Storage Potential Evidence: commonly found in files that are stored on hard drives and storage devices and media. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Investigating Computer Systems • Example: User-Created Files Can contain important evidence of criminal activity such as: - Address books and database files (may prove criminal association) - Existing or moving pictures (may be evidence of pedophile activity), - Communications between criminals (e-mail or letters). - Drug deal lists may often be found in spreadsheets. Investigator should look at: ◆ Address books. - ◆ E-mail files. ◆ Audio/video files. ◆ Image/graphics files. ◆ Calendars. ◆ Internet bookmarks/favorites. ◆ Database files. ◆ Spreadsheet files. ◆ Documents or text files. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Investigating Computer Systems Example: User-Protected Files • Users can hide evidence in a variety of forms • They may encrypt or password-protect data that are important to them. • They may also hide files on a hard disk or within other files or deliberately hide incriminating evidence files under an innocuous name Investigator should also focus on: ◆ Compressed files. ◆ Misnamed files. ◆ Encrypted files. ◆ Password-protected files. ◆ Hidden files. ◆ Steganography. Remember that: - Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and examined - Evidence can also be found in files and other data areas created as a routine function of the computer’s operating system - In most cases, the user is not aware that data are being written to these areas. - There are components of files that may have evidentiary value including the date and time of creation, modification, deletion, access, user name or identification, and file attributes . INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Investigating Computer Systems Example: Computer created files and other Data Areas Evidence can also be found in files created by the computer himself and other areas Investigators should check: ◆ Backup files. ◆ Log files. ◆ Configuration files. ◆ Printer spool files. ◆ Cookies. ◆ Swap files. ◆ Hidden files. ◆ System files. ◆ History files. ◆ Temporary files. And ◆ Bad clusters. ◆ Computer date, time, and password. ◆ Deleted files. ◆ Free space. ◆ Hidden partitions. ◆ Lost clusters. ◆ Metadata. ◆ Other partitions. ◆ Reserved areas. ◆ Slack space. ◆ Software registration information. ◆ System areas. ◆ Unallocated space. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• Read Chapter 1 of the book: Computer Hacking Forensics Investigators (CHFI), Computer Forensics, Investigating Hard disks, File and Operating System, Eccouncil, 2010. PDF format • Evaluate other Computers systems components and Network entities that can be submitted to the investigation process. • Take note of Potential sources of evidence during investigation. • Generate a table that describes each component with the possible evidence that can be found. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• Gather resources identified in investigation plan Items needed. That is: –>Original storage media –>Evidence custody form –>Evidence container for the storage media –>Bit-stream imaging tool –>Forensic workstation to copy and examine your evidence –>Securable evidence locker, cabinet, or safe Conducting the investigation Generally on an item Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
During Gathering of the Evidence, They are steps you may take to avoid damaging the evidence: • –>Meet the IT manager to interview him • –>Fill out the evidence form, have the IT manager sign • –>Place the evidence in a secure container • –>Complete the evidence custody form • –>Carry the evidence to the computer forensics lab • –>Create forensics copies (if possible) • –>Secure evidence by locking the container • Process the copied evidence with computer forensics tools Precaution to take during investigation to avoid destroying evidence Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
One Important Task during investigation: the copying process One important rule of computer forensics investigation is to Preserve the original evidence! Remember: Conduct your analysis only on a copy of the data! DO Bit-Stream Copies  Performs a bit-by-bit copy of the original storage medium  Copy obtain is the exact copy of the original disk  Copy image file to a target disk that matches the original disk s manufacturer, size and model Original disk with image Target disk  Different from a simple backup copy  Backup software only copy known files  and, Backup software cannot copy deleted files or e-mail messages, or recover file fragments Tools: ProDiscover Basic, FTK Imager, Linux dd command 5 Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
At the end of your investigation, You need to produce a final report. Here, you must: State what you did and what you found  Include report generated by your forensic tool to document your work Repeatable findings  Repeat the steps and produce the same result, using different tools If required Use a report template Report should show conclusive evidence : Did the suspect commit the crime or not, or violate a company policy-> Your opinion Finalizing the Investigation Case Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• At the end of your investigation, you need to critique the Case. Ask yourself the following questions: How could you improve your performance in the case?  Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? If so, what are they? Did you use new techniques during the case or during research? Finalizing the Investigation Case Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
• Digital forensics investigation of a Computer is a unique process that comes with so many challenges. • The success of an investigation operation relies on how good we understand what we are looking for and how efficient we are in the process of looking for it. • Action of conducting a computer investigation therefore require to follow an acceptable procedure • From the acquisition of evidence to the Processing of the copied evidence with the use of computer forensics tools, Computer Forensics investigation contribute in fighting the growth of digital crimes. • Remember any digital device can be a source of evidence. Only perspicacity in conducting the forensics investigation process can ensure good result. • It therefore depend on how much you are equipped and the various forensics tools used in your forensics laboratory. CONCLUSION Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
GROUP WORK ASSIGNMENTs PRESENTATION In order to familiarize with various forensics Tools, 1. Download Forensics Toolkit (FTK) following this URL: https://accessdata.com/product-download/forensic-toolkit-ftk-version-6- 0. 2. The downloaded file will be an .iso file. Use the appropriate software to load it in your OS (Nero, ISO opener, PowerISO, etc..). 3. Constitute a group of 6 students and specify your group Leader 4. Install this tool in an updated laptop with acceptable specifications ( Dual core, 2GB RAM, <10GB HDD free space, Windows 10/Linux) 5. Prepare a PowerPoint presentation of this application 6. Demonstrate 2 features expressing Forensics investigation Duration: 1h30 mn Note: This class session will be ONSITE. Date: to be discussed in class… Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
PRESENTATION • Download the PDF file: Digital Evidence and the US Criminal Justice System here: https://www.rand.org/pubs/research_reports/RR890.html • Form a group of 3 students • Prepare a PowerPoint presentation of the Content of this file • Emphasize on Case studies elaborated to make your point • Do a class presentation of your findings and Conclusion • Conclude your Presentation using a Practical Forensics Tool that demonstrate how Evidence can be manage during forensics investigation. • Duration: 1h30mn GROUP WORK ASSIGNMENTs Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
1- Godwin Emmanuel, Oyedokun , UNDERSTANDING FORENSIC INVESTIGATION PROCESS (UFIP) , lecture delivered at Fraud Examination and Forensic Investigation Workshop , 2016. Retrieved from https://slideplayer.com/slide/7914121/ 2- Computer Hacking Forensics Investigators (CHFI), Computer Forensics, Investigating Hard disks, File and Operating System, Eccouncil, 2010 3- Computer Hacking Forensics Investigators (CHFI), Computer Forensics, Investigating Network and Cyber Crimes, Eccouncil, 2010 4- Cardinali, Richard. Anatomy of a bug: understanding the computer virus. Computer education, no. 74, June 1993: QA76.27.C65 and Pamphlet box <SciRR> 5- Hartson, H. Rex. Computer security. In McGraw-Hill encyclopedia of science and technology. v. 4. 6th ed. New York, McGraw-Hill Book Co., c1987. p. 274-276. REFERENCES Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
6- Parker, Donn B. Crime. In Encyclopedia of computer science and technology. v. New York, Marcel Dekker, Inc., c1977. p. 383-403. 7- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes investigation, A guide for first responder, 2001-retrieved from http://www.ojp.usdoj.gov 8- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes investigation, A guide for first responder, 2001-retrieved from http://www.ojp.usdoj.gov 9- Edita Bajramović, Interview Methodology in Digital Forensics Investigations, American University in Bosnia, Stručni rad UDC 343.9. retrieve from Conducting effective interviews. AICPA. n.d, http://www.aicpa.org/interestareas/forensicandvaluation/resources/practaidsguid ance/ downloadabledocuments/10834-378_interview%20whiite%20paper-final- v1.pdf, http://media3.novi.economicsandlaw.org/2017/07/Vol11/Bajramovic-11- IJEAL.pdf REFERENCES Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
END

Recommended

Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media ForensicsJohn J. Carney, Esq.
 

Recommended

Mobile forensics
Mobile forensicsMobile forensics
Mobile forensicsnoorashams
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Digital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDigital Evidence by Raghu Khimani
Digital Evidence by Raghu KhimaniDr Raghu Khimani
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
Collecting and preserving digital evidence
Collecting and preserving digital evidenceCollecting and preserving digital evidence
Collecting and preserving digital evidenceOnline
 
Social Media Forensics
Social Media ForensicsSocial Media Forensics
Social Media ForensicsJohn J. Carney, Esq.
 
Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
DF Process Models
DF Process ModelsDF Process Models
DF Process ModelsCostas Katsavounidis
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsRamesh Ogania
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics abdullah roomi
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case StudyMyAssignmenthelp.com
 
Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and InvestigationNeha Raju k
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxParasSehgal12
 

More Related Content

What's hot

Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emamahmad abdelhafeez
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - NotesKranthi
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsLalit Garg
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic toolsSonu Sunaliya
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - NotesKranthi
 
Anti forensic
Anti forensicAnti forensic
Anti forensicMilap Oza
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensicsRahul Baghla
 

What's hot (20)

Digital forensics ahmed emam
Digital forensics ahmed emamDigital forensics ahmed emam
Digital forensics ahmed emam
 
02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes02 Types of Computer Forensics Technology - Notes
02 Types of Computer Forensics Technology - Notes
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
DF Process Models
DF Process ModelsDF Process Models
DF Process Models
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensic
 
cyber security and forensic tools
cyber security and forensic toolscyber security and forensic tools
cyber security and forensic tools
 
Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Mobile Forensics
Mobile Forensics Mobile Forensics
Mobile Forensics
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes05 Duplication and Preservation of Digital evidence - Notes
05 Duplication and Preservation of Digital evidence - Notes
 
Anti forensic
Anti forensicAnti forensic
Anti forensic
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Computer +forensics
Computer +forensicsComputer +forensics
Computer +forensics
 
Digital Forensic Case Study
Digital Forensic Case StudyDigital Forensic Case Study
Digital Forensic Case Study
 

Similar to Chap 2 computer forensics investigation

Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and InvestigationNeha Raju k
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxParasSehgal12
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxbiswajitghosal4
 
Computer Forensics (1).pptx
Computer Forensics (1).pptxComputer Forensics (1).pptx
Computer Forensics (1).pptxGautam708801
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptxaratibhavsar
 
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docxAssignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docxcarlibradley31429
 
Unit-5.3 Information Technology Act, 2000-MLP.pptx
Unit-5.3 Information Technology Act, 2000-MLP.pptxUnit-5.3 Information Technology Act, 2000-MLP.pptx
Unit-5.3 Information Technology Act, 2000-MLP.pptxSanjith261
 
Computer crime
Computer crimeComputer crime
Computer crimeUc Man
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsFORnSECSolutions
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...FORnSECSolutions
 
An insight view of digital forensics
An insight view of digital forensicsAn insight view of digital forensics
An insight view of digital forensicsijcsa
 

Similar to Chap 2 computer forensics investigation (20)

Computer forensics and Investigation
Computer forensics and InvestigationComputer forensics and Investigation
Computer forensics and Investigation
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptx
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptx
 
Cyber security
Cyber securityCyber security
Cyber security
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
 
Computer Forensics (1).pptx
Computer Forensics (1).pptxComputer Forensics (1).pptx
Computer Forensics (1).pptx
 
FCL-Introduction.pptx
FCL-Introduction.pptxFCL-Introduction.pptx
FCL-Introduction.pptx
 
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docxAssignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
Assignment 1 ) -----  Portfolio AssignmentsPrefaceListed.docx
 
Difference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptxDifference between Cyber and digital Forensic.pptx
Difference between Cyber and digital Forensic.pptx
 
Unit-5.3 Information Technology Act, 2000-MLP.pptx
Unit-5.3 Information Technology Act, 2000-MLP.pptxUnit-5.3 Information Technology Act, 2000-MLP.pptx
Unit-5.3 Information Technology Act, 2000-MLP.pptx
 
cyber forensics
cyber forensicscyber forensics
cyber forensics
 
Computer crime
Computer crimeComputer crime
Computer crime
 
File000146
File000146File000146
File000146
 
Computer crime
Computer crimeComputer crime
Computer crime
 
Mis chapter 9
Mis chapter 9Mis chapter 9
Mis chapter 9
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
 
Computer Forensics.pptx
Computer Forensics.pptxComputer Forensics.pptx
Computer Forensics.pptx
 
Chap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensicsChap 1 general introduction to computer forensics
Chap 1 general introduction to computer forensics
 
An insight view of digital forensics
An insight view of digital forensicsAn insight view of digital forensics
An insight view of digital forensics
 

Recently uploaded

Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxKartikeyaDwivedi3
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfme23b1001
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 

Recently uploaded (20)

Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Concrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptxConcrete Mix Design - IS 10262-2019 - .pptx
Concrete Mix Design - IS 10262-2019 - .pptx
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
Design and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdfDesign and analysis of solar grass cutter.pdf
Design and analysis of solar grass cutter.pdf
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
Electronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdfElectronically Controlled suspensions system .pdf
Electronically Controlled suspensions system .pdf
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
young call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Serviceyoung call girls in Green Park🔝 9953056974 🔝 escort Service
young call girls in Green Park🔝 9953056974 🔝 escort Service
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 

Chap 2 computer forensics investigation

  • 1. COMPUTER FORENSICS Chap 2- COMPUTER FORENSICS AND FRAUD INVESTIGATIONS By MALOBE LOTTIN CYRILLE M Network and Telecommunication Engineer PhD Student Contact: +237 243004411 / 695654002 Email: malobecyrille.marcel@ictuniversity.org Computer Forensic Science © Copyright 2020
  • 2. CONTENT • Introduction • Overview of a Computer Crime • Digital Investigation Triad • Initiating Computer crimes investigations • Some investigations procedures in Corporate environment: - Employee termination case :Internet abuse - Employee termination case :Email abuse - Attorney-Client Privilege investigation (ACP) case - Media Leak investigations case • Initiating Interviews in Digital Forensics Investigations • Interview Methodology • Investigation Interview Recording • Investigating a Computer Crime Scene: Electronic devices (Type and Potential evidence) • Conducting the Investigation on an item • Precautions to take during Investigation • The copying Process • Finalizing the investigation Case • Conclusion Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 3. INTRODUCTION • Digital forensics investigation of a Computer is a unique process that comes with so many challenges:(Understand how computers manipulates bits values - 0 and 1, mastering operating systems, computer hardware, network operation, etc.) • Investigation is the act or process of investigating or the condition of being investigated. • Computer investigation is about conducting systematic search of digital evidence where data are collected in the most secured and efficient manner. • Forensics professionals gather evidence to prove that a suspect committed a crime or violated a company policy. • Remember: Digital Forensics is not Data recovery • The success of an investigation operation relies on how good we understand what we are looking for and how efficient we are in the process of looking for it. • Investigation of digital devices generally includes:  COLLECTING DATA SECURELY  OBSERVATION AND EXAMINATION OF SUSPECTED DATA  PRESENTATION OF COLLECTED DATA REPRESENTED AS DIGITAL INFORMATION TO COURTS  MAKING USE OF LAWS RELATED DIGITAL EVIDENCE PRACTICES • Action of conducting a computer investigation therefore require to follow an accepted procedure • A good case is ensured based on the validity of the Chain of evidence and Chain of Custody Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 4. OVERVIEW OF A COMPUTER CRIME How do we characterize a crime as “ COMPUTER CRIME” ? • Computer is used as instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. • Four major categories of computer crimes:  Internal Computer crimes: trojan horses, logic bombs, trap doors, worms, and viruses  Telecommunication related crimes: phreaking and hacking  Computer manipulation crimes that result in embezzlement and fraud: used of computer to manipulate financial statement  Traditional thefts of hardware and software - UP to NOW: Slow implementation / adoption of Laws related to computer crimes by governments. Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 5. SO, majors perpetrators of computer crimes includes: • Hackers. • Crackers. • Malicious insider. • Industrial spies. • Cybercriminals. • Hacktivist. • Cyber terrorists. Computer crimes today are so prevalent because: - Complexity of systems  drop in the mastering of the computer and network environment - Poor implementation of security policies - Rapid technological advancements - Slow /delay in getting soft and hardware fixes (repairs) - Better mastering of physical crimes  push criminal to try other means OVERVIEW OF A COMPUTER CRIME (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 6. • Computer crime includes cases in which the computer is the tool, the target, or is incidental to the offense. Practical case example “In a recent case where a computer was used as a tool in the Crime, SEARCH assisted the Long Beach (California) Police Department with the forensic examination of two seized microcomputers. The computers were allegedly used by a gang involved in a payroll check counterfeiting operation that resulted in the loss of millions of dollars to two major banking institutions. The suspects used computer imaging technology and high-resolution scanners and printers to replicate payroll checks”. (kelly, 1995) • It means computers crimes contain information that helps law enforcement determine : - chain of events leading to a crime, - Evidence that can lead to a conviction. Note: Digital evidence can easily be altered by a careless investigator. Be mindful to respect procedures ! OVERVIEW OF A COMPUTER CRIME ( Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 7. Digital investigation Triad • Investigators in charge of Forensics often work as a team Known as the investigation Triad. Source: Retrieved from https://doi.org/10.1016/j.diin.2015.07.004
  • 8. Digital investigation Triad (Cont…) Forensics Investigation need to be conducted with CIA principle in mind. The integrity of Data must be preserve, making the discovery confidential much as possible and available accordingly to how it will be presented and accepted in Court. The digital Forensics Triad is made of Three Main Pillars:  VULNERABILITIES/Threat Assessment and Risk Management: consist of activity such as testing and verifying the integrity of stand-along Workstations and network servers  Network Intrusion Detection and Incidence response: Detects intruders attacks with automated tools and monitoring network firewall logs  Digital investigations: properly managed investigation and launching of forensics analysis of any system suspected to contain potential evidence. The CIA triad Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 9. Initiating Computer crimes investigation What should be the behavior of Investigators towards evidences of the crime scene ? • Handling electronic evidence at the crime scene during investigation consist of: ◆ Recognition and identification of the evidence. ◆ Documentation of the crime scene. ◆ Collection and preservation of the evidence. ◆ Packaging and transportation of the evidence. Prior to these steps • Necessary legal authority to search for and seize the suspected evidence must be obtained • The crime scene must be secured and documented (photographically and/or by sketch or notes). • Must use Crime scene protective equipment (gloves, etc.) Note: Always remember to consult your local prosecutor before accessing stored data on a device. Because of the fragile nature of electronic evidence, examination should be done by appropriate personnel. Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 10. What are the considerations when planning for an investigation ? A basic investigation plan therefore consist of:  Acquiring the evidence Preparing an evidence form and establishment of a chain of custody Transportation of the evidence to a computer forensics lab Placing the evidence in a secure environment ( Container) Preparing a forensics workstation Obtaining the evidence from the secure milieu where it was placed Making a forensic copy of the evidence Returning the evidence in the secure milieu Processing of the copied evidence with the use of computer forensics tools Initiating Computer crimes investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 11. Notes: • Evidence custody form document will help in documenting what has been done with the original evidence and his forensics copies • The single evidence form will list each piece of evidence in a separate page. The Multi-evidence form will be use otherwise • The evidence bags should be used to catalogue the evidences. • Preferably, products used should be safe (use anti-static bags, etc.) • Use well padded containers • All openings should be seal with a tape ( floppy disk, Power supply cord, etc.) • Write your initial on tape to prove that evidence has not been tampered with Initiating Computer crimes investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 12. Presentation of some important investigation forms Initiating Computer crimes investigation(Cont…) • Chain of evidence Form (Form that details all evidence collected with their specifications) • Chain of custody form (form that details how the evidence was handled every step of the way) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 13. • Multi-evidence form • Single -evidence form Initiating Computer crimes investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 14. Investigating an Employee Termination case • Most of investigations for termination cases involve employee abuse for corporate assets. • Also, issues such as harassment, visiting prohibited websites while at work • Harassment case: people have to leave their work  resulting in significant cost on both side ( employee and employer) Consequence - lost of productivity - retraining need of new staff - Wrongful termination lawsuits - Impact on company culture, workplace morale, brand reputation affected So… Need to conduct investigation on allegations and report to internal stakeholders for appropriate action to be taken Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 15. Investigating Termination based on Internet abuse • Need to: Access organization’s internet proxy logs Suspect computer’s IP addresses Suspect computer’s disk drive And make use of your most reliable computer forensics tools Steps to take will therefore involve: Making use of standard forensics analysis techniques and procedures Using appropriate tools to extract all web page URL information ( example: Magnet.AI tool) Contacting the network administrator and request a proxy server log Comparing the data recovered from forensic analysis to the proxy server log And, proceed with the analysis of the computer disk drive data Investigating an Employee Termination case (Cont…)
  • 16. Investigating Termination based on E-mail abuse Need to: Acquire an electronic copy of the offending e-mail that contains message header data  also, if possible, acquire email server logs records - if the e-mail system store user’s messages on a central server, get access to that server Gain access to the computer for you to conduct forensics analysis on it Then, remember to always go for the most reliable forensics analysis tools Steps to take will therefore involve:  use the standard forensics analysis techniques Get an electronic copy of the suspect’s and victims e-mail folder or data  For web-based email investigations, you can use tools such as FTK’s Internet Keyword Search option to extract all related e-mail address information Examine header data of all messages of interest to the investigation Investigating an Employee Termination case (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 17. Attorney-Client Privilege (ACP) Investigation For investigation related to ACP, one important factor You must maintain all findings confidential Also:  many attorney like to have printouts of the data you have recovered. So, there is a need to persuade and educate many attorneys on how digital evidence can be viewed electronically Remember: you may face difficulties if you find data in the form of binary files The steps involve in conducting ACP investigation are:  making a request of a memorandum from the attorney directing you to start the investigation  Requesting a list of keyword of interest to the investigation  Initiate the investigation and analysis  If there is a need to examine a disk, make two bit stream images using different tools  Compare hash signatures on all files on the original and re-created disks  Do a methodic examination of every portion of the disk drive and extract all data  Run Keyword searches on both allocated and unallocated disk space  Analyze and extract data from the registry using tools such as Registry Viewer 2.o ( Access data registry viewer) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 18. Identify the correct software product for binary data files such as CAD drawings It is advisable to use a tool that removes or replaces non printable data for unallocated data recovery ( SIFT tool-Linux)  Consolidate all recovered data from the evidence bit-stream image into folders and subfolders Besides: - Much as required, minimize written communications with the attorney! Note: Any document to the attention of the attorney must contain a header stating “ Privileged Legal Communication-Confidential Work Product”. Always keep an open line of verbal communication. - Encryption should be use if you need to communicate via e-mail Attorney-Client Privilege (ACP) Investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 19. It is important to know that having a control on sensitive data can be difficult. So.. • Consider for this case to: Examine e-mail Examine Internet message boards Examine proxy server logs Examine known suspects’ workstations Examine all company telephone records, looking for calls to the media Steps to take for media leaks involve: Conduct Interview management privately to get a list of employees who have direct knowledge of the sensitive data Identify media source that published the information Review company phone records Obtain a list of keywords related to the media leak Perform keyword searches on proxy and e-mail servers Conducting a Media Leak Investigation Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 20. Discreetly conduct forensic disk acquisitions and analysis  From the forensic disk examinations: - Analyze all e- mail correspondence And trace any sensitive messages to other people - Expand the discreet forensic disk acquisition and analysis - Consolidate and review your findings periodically - Routinely report findings to management Conducting a Media Leak Investigation (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 21. All suspected industrial espionage cases should be treated as criminal investigations A need to constitute a dedicated Staff made of:  Computing investigator: responsible for disk forensic examinations Technology specialist: knowledgeable of the suspected compromised technical data  Network specialist: perform log analysis and set up network sniffers Threat assessment specialist (typically an attorney) Conducting an Industrial espionage investigation Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 22. To conduct investigation on this type of case: • Find out whether this investigation involves a possible industrial espionage incident • Ensure to consult with corporate attorneys and upper management • Determine what information is needed to substantiate the allegation • Generate a list of keywords for disk forensics and sniffer monitoring • List and collect resources for the investigation Conducting an Industrial espionage investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 23. • Determine goal and scope of the investigation • Initiate investigation after approval from management Planning considerations • Examine all e-mail of suspected employees • Search Internet newsgroups or message boards • Initiate physical surveillance • Examine facility physical access logs for sensitive areas Conducting an Industrial espionage investigation(Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 24. After implementing the above guideline, you need to Plan for your investigation • Determine suspect location in relation to the vulnerable asset • Study the suspect’s work habits • Collect all incoming and outgoing phone logs Steps • Gather all personnel assigned to the investigation and brief them on the plan • Gather resources to conduct the investigation • Place surveillance systems • Discreetly gather any additional evidence • Collect all log data from networks and e-mail servers • Report regularly to management and corporate attorneys • Review the investigation’s scope with management and corporate attorneys Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020 Conducting an Industrial espionage investigation(Cont…)
  • 25. • Investigations interviews require experience. • Why ? • To easily obtain confession from a suspect is not an easy task !. • Interviews are done to collect information from a witness or suspect about specific facts related to an investigation. • A digital forensic investigator will be interested in gathering information and conducting interviews regarding computer crime, child pornography, fraud, hacking, and other digital crimes. • Before starting the interview process : - Investigators must know potential facts of the case and background information on the victim or perpetrator to be interviewed - know victims’ or perpetrators’ personal information, prior-criminal sentences, and professional status - The purpose here is to develop a methodology to create a standardized interview method and to try to build relationships and connections with interviewee. Note: There is no standard interview method. It all depends of the type of crime to investigate (fraud, hacking…) Initiating Interviews in Digital Forensics investigations Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 26. • Therefore, Different interview techniques exist but interviews usually should try to answer simple questions such as: who, when, where, what, how, and why. • Remember: The initial interview is typically the best chance to collect basic evidence. Also, Interviewers must be patient and persistent through the interview process. • While waiting to define which technique to use for the computer-related crime: evaluate computer skills ability of the suspect to avoid being confused by perpetrators or victims who could possibly have higher computer knowledge  computer knowledge of the perpetrators should be evaluated based on other evidence  gather as much as possible details regarding the hardware and software that perpetrator was using.  Also gather details concerning the victim ( Especially if it involve a child)  besides, gather information such as: perpetrator’s user name, online profile, ISP, email account information, time of connectivity online. Chap 2- Computer Forensics Investigations, By Cyrille Lottin- 2020 Initiating Interviews in Digital Forensics investigations (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 27. • The interview process can effectively start once information necessary for the interview is gathered. But, before you start, make ready: - Privacy Act Statement - List of official papers from interviewee - Checklist with information gathered prior the interview - List of questions - Copies of all official papers planned to show to the perpetrator or victim - the method used to record the interview Be mindful that: - Interview should be conducted in a peaceful and comfortable setting - Use personal names to relax the tension and start building a good “rapport” with the interviewee. A good relationship from start help in achieving GOOD RESULT - Don’t use a heavy-handed approach that enforces your authority ( NO NEED !) - For child case, ensure to prepare the child moral ahead of the interview - Be a good listener and observer - DO NOT COMPLETE interviewee sentences. If you don’t get it, reformulate until both are on the page - Adopt an open ended approach prior to the YES/NO format Interview Methodology Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 28. The following step should be taken to conduct investigations interviews: 1. Welcome the victim in a pleasant way 2. Be comfortable and friendly to calm the victim (in the case of a child victim, the interviewer must be extremely cautious not to disturb the child) 3. Introduce yourself 4. Explain to the victim the reason for the visit 5. Clarify the significance and importance of the victim’s testimony to the case 6. Check the victim’s name, current address, phone numbers, and occupation 7. Ask the victim to tell the story as a narrative 8. Do not interrupt; listen, and take brief notes very cautiously on what the victim says 9. Observe the victim’s behavior and body movement 10. Try to be emphatic to motivate the victim 11. Ask additional questions relevant to the case when the victim finishes the narrative, starting with general questions, and moving toward more specific questions 12. Ask specific questions, if child exploitation is involved, about the location of the crime, methods, and any existing computers and other devices 13. Compare the victim’s statement with other statements, if they exist 14. Review contradictions, and, if the victim is a cooperative, present them to the victim Interview Methodology (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 29. Interview Process for the case of a Child abuse for computer related crimes – Source: (Edita Bajramović, 2014) Interview Methodology (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 30. Investigation Interview Recording • Very important element of digital forensic investigations • NEED to be accurate • An interview record can create the foundation for investigative case management conclusions. • Interview record can be used as evidence in some jurisdictions • To determine which recording technique to use, think about: - Cost - Logistics - The possible effect on those interviewed - Any lawful requirements affecting the interview’s acceptability Interview recording techniques for computer related crimes – Source: (Edita Bajramović, 2014) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 31. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) • Electronic evidence can be found in many of the new types of electronic devices available Today. • There is a wide variety of the types of electronic devices commonly encountered in crime scenes. Remember: Many electronic devices contain memory that requires continuous power to maintain the information (battery or AC power). Data can be easily lost by unplugging the power source or allowing the battery to discharge. Note: After determining the mode of collection, collect and store the power supply adaptor or cable, if present, with the recovered device Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 32. Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020 INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Computer crime scene– Source: (CHFI, 2010)
  • 33. Investigating Computer Systems • Consists of a main base unit (CPU), data storage devices, a monitor, keyboard, and mouse. • may be a standalone or it may be connected to a network (laptops, desktops, tower systems, modular rack- mounted systems, microcomputers, minicomputers, supercomputers and mainframe computers). • Additional components include modems, printers, scanners, docking stations, and external data storage devices Primary use: Computation and Information Storage Potential Evidence: commonly found in files that are stored on hard drives and storage devices and media. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 34. Investigating Computer Systems • Example: User-Created Files Can contain important evidence of criminal activity such as: - Address books and database files (may prove criminal association) - Existing or moving pictures (may be evidence of pedophile activity), - Communications between criminals (e-mail or letters). - Drug deal lists may often be found in spreadsheets. Investigator should look at: ◆ Address books. - ◆ E-mail files. ◆ Audio/video files. ◆ Image/graphics files. ◆ Calendars. ◆ Internet bookmarks/favorites. ◆ Database files. ◆ Spreadsheet files. ◆ Documents or text files. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 35. Investigating Computer Systems Example: User-Protected Files • Users can hide evidence in a variety of forms • They may encrypt or password-protect data that are important to them. • They may also hide files on a hard disk or within other files or deliberately hide incriminating evidence files under an innocuous name Investigator should also focus on: ◆ Compressed files. ◆ Misnamed files. ◆ Encrypted files. ◆ Password-protected files. ◆ Hidden files. ◆ Steganography. Remember that: - Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and examined - Evidence can also be found in files and other data areas created as a routine function of the computer’s operating system - In most cases, the user is not aware that data are being written to these areas. - There are components of files that may have evidentiary value including the date and time of creation, modification, deletion, access, user name or identification, and file attributes . INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 36. Investigating Computer Systems Example: Computer created files and other Data Areas Evidence can also be found in files created by the computer himself and other areas Investigators should check: ◆ Backup files. ◆ Log files. ◆ Configuration files. ◆ Printer spool files. ◆ Cookies. ◆ Swap files. ◆ Hidden files. ◆ System files. ◆ History files. ◆ Temporary files. And ◆ Bad clusters. ◆ Computer date, time, and password. ◆ Deleted files. ◆ Free space. ◆ Hidden partitions. ◆ Lost clusters. ◆ Metadata. ◆ Other partitions. ◆ Reserved areas. ◆ Slack space. ◆ Software registration information. ◆ System areas. ◆ Unallocated space. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 37. • Read Chapter 1 of the book: Computer Hacking Forensics Investigators (CHFI), Computer Forensics, Investigating Hard disks, File and Operating System, Eccouncil, 2010. PDF format • Evaluate other Computers systems components and Network entities that can be submitted to the investigation process. • Take note of Potential sources of evidence during investigation. • Generate a table that describes each component with the possible evidence that can be found. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and Potential Evidence) (Cont…) Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 38. • Gather resources identified in investigation plan Items needed. That is: –>Original storage media –>Evidence custody form –>Evidence container for the storage media –>Bit-stream imaging tool –>Forensic workstation to copy and examine your evidence –>Securable evidence locker, cabinet, or safe Conducting the investigation Generally on an item Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 39. During Gathering of the Evidence, They are steps you may take to avoid damaging the evidence: • –>Meet the IT manager to interview him • –>Fill out the evidence form, have the IT manager sign • –>Place the evidence in a secure container • –>Complete the evidence custody form • –>Carry the evidence to the computer forensics lab • –>Create forensics copies (if possible) • –>Secure evidence by locking the container • Process the copied evidence with computer forensics tools Precaution to take during investigation to avoid destroying evidence Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 40. One Important Task during investigation: the copying process One important rule of computer forensics investigation is to Preserve the original evidence! Remember: Conduct your analysis only on a copy of the data! DO Bit-Stream Copies  Performs a bit-by-bit copy of the original storage medium  Copy obtain is the exact copy of the original disk  Copy image file to a target disk that matches the original disk s manufacturer, size and model Original disk with image Target disk  Different from a simple backup copy  Backup software only copy known files  and, Backup software cannot copy deleted files or e-mail messages, or recover file fragments Tools: ProDiscover Basic, FTK Imager, Linux dd command 5 Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 41. At the end of your investigation, You need to produce a final report. Here, you must: State what you did and what you found  Include report generated by your forensic tool to document your work Repeatable findings  Repeat the steps and produce the same result, using different tools If required Use a report template Report should show conclusive evidence : Did the suspect commit the crime or not, or violate a company policy-> Your opinion Finalizing the Investigation Case Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 42. • At the end of your investigation, you need to critique the Case. Ask yourself the following questions: How could you improve your performance in the case?  Did you expect the results you found? Did the case develop in ways you did not expect? Was the documentation as thorough as it could have been? What feedback has been received from the requesting source? Did you discover any new problems? If so, what are they? Did you use new techniques during the case or during research? Finalizing the Investigation Case Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 43. • Digital forensics investigation of a Computer is a unique process that comes with so many challenges. • The success of an investigation operation relies on how good we understand what we are looking for and how efficient we are in the process of looking for it. • Action of conducting a computer investigation therefore require to follow an acceptable procedure • From the acquisition of evidence to the Processing of the copied evidence with the use of computer forensics tools, Computer Forensics investigation contribute in fighting the growth of digital crimes. • Remember any digital device can be a source of evidence. Only perspicacity in conducting the forensics investigation process can ensure good result. • It therefore depend on how much you are equipped and the various forensics tools used in your forensics laboratory. CONCLUSION Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 44. GROUP WORK ASSIGNMENTs PRESENTATION In order to familiarize with various forensics Tools, 1. Download Forensics Toolkit (FTK) following this URL: https://accessdata.com/product-download/forensic-toolkit-ftk-version-6- 0. 2. The downloaded file will be an .iso file. Use the appropriate software to load it in your OS (Nero, ISO opener, PowerISO, etc..). 3. Constitute a group of 6 students and specify your group Leader 4. Install this tool in an updated laptop with acceptable specifications ( Dual core, 2GB RAM, <10GB HDD free space, Windows 10/Linux) 5. Prepare a PowerPoint presentation of this application 6. Demonstrate 2 features expressing Forensics investigation Duration: 1h30 mn Note: This class session will be ONSITE. Date: to be discussed in class… Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 45. PRESENTATION • Download the PDF file: Digital Evidence and the US Criminal Justice System here: https://www.rand.org/pubs/research_reports/RR890.html • Form a group of 3 students • Prepare a PowerPoint presentation of the Content of this file • Emphasize on Case studies elaborated to make your point • Do a class presentation of your findings and Conclusion • Conclude your Presentation using a Practical Forensics Tool that demonstrate how Evidence can be manage during forensics investigation. • Duration: 1h30mn GROUP WORK ASSIGNMENTs Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 46. 1- Godwin Emmanuel, Oyedokun , UNDERSTANDING FORENSIC INVESTIGATION PROCESS (UFIP) , lecture delivered at Fraud Examination and Forensic Investigation Workshop , 2016. Retrieved from https://slideplayer.com/slide/7914121/ 2- Computer Hacking Forensics Investigators (CHFI), Computer Forensics, Investigating Hard disks, File and Operating System, Eccouncil, 2010 3- Computer Hacking Forensics Investigators (CHFI), Computer Forensics, Investigating Network and Cyber Crimes, Eccouncil, 2010 4- Cardinali, Richard. Anatomy of a bug: understanding the computer virus. Computer education, no. 74, June 1993: QA76.27.C65 and Pamphlet box <SciRR> 5- Hartson, H. Rex. Computer security. In McGraw-Hill encyclopedia of science and technology. v. 4. 6th ed. New York, McGraw-Hill Book Co., c1987. p. 274-276. REFERENCES Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 47. 6- Parker, Donn B. Crime. In Encyclopedia of computer science and technology. v. New York, Marcel Dekker, Inc., c1977. p. 383-403. 7- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes investigation, A guide for first responder, 2001-retrieved from http://www.ojp.usdoj.gov 8- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes investigation, A guide for first responder, 2001-retrieved from http://www.ojp.usdoj.gov 9- Edita Bajramović, Interview Methodology in Digital Forensics Investigations, American University in Bosnia, Stručni rad UDC 343.9. retrieve from Conducting effective interviews. AICPA. n.d, http://www.aicpa.org/interestareas/forensicandvaluation/resources/practaidsguid ance/ downloadabledocuments/10834-378_interview%20whiite%20paper-final- v1.pdf, http://media3.novi.economicsandlaw.org/2017/07/Vol11/Bajramovic-11- IJEAL.pdf REFERENCES Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
  • 48. END