A series of computer forensics notes...................

1. Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

2. Outline
• CF Investigation Process
• Secure the Evidence
• Acquire and Analyze the Data
• Assess Evidence and Case
• Prepare the Final Report
• Testify in the court as an Expert witness
• Computer Forensics Service Providers

3. Secure the Evidence
• Secure the evidence without damaging the evidence’s integrity
• Place the evidence in a secured site by not allowing any intruders to access
it
• Maintain the chain of custody to properly track the evidence
• Identify digital and non digital artifacts to separate the evidence according
to their behavior
• Maintain a log book at the entrance of the lab to log in the timings and
name of the person visited
• Place an intrusion alarm system in the entrance of the forensic lab
• Contact law enforcement agencies to know how to preserve the evidence

4. Chain of custody
• Chain of custody is a legal document that demonstrates the
progression of evidence as it travels from original evidence location to
the forensic laboratory

5. Acquire the Data

6. Note…………….
• Original Evidence should not be used for analysis

7. Note…………………………..
• Duplicate the Data

8. Hash the Evidence

9. Recovery……… if Necessary
• Tools of Recovery
• Recover my files
• Digital Rescue premium
• EASEUS data recovery wizard
• PC inspector file Recovery
• Advanced Disk Recovery
• Total Recall

10. Analyze the Data
• Thoroughly analyze the acquired data to draw conclusions related to
the case
• Data analysis techniques depend on the scope of the case or client’s
requirements
• Analysis of the file’s content, date and time of file creation and
modification, users associated with file creation access and file
modification, and physical storage location of the file
• Identify and categorize data in order of relevance

11. Tools for Analysis
• Forensic tools help in sorting and analysis of a large volume of data
to draw meaningful conclusions.
• Tools
• AccessData’s FTK
• Guidance Software’s Encase Forensics
• Brain Carrier’s the Sleuth Kit

12. Evidence Assessment
• Conduct a complete assessment by reviewing the
• Search warrant
• Legal authorization
• Case detail
• Nature of the hardware and software
• Potential evidence
• Circumstances surrounding the acquisition of the evidence to be examined

13. Case Assessment [CHFI]

14. Prepare the final Report
• Report Writing is a crucial stage in the outcome of the investigation
• The report should be clear, concise and written for the appropriate
audience

15. Continued…… [CHFI]

16. Continued… [CHFI]

17. Expert Witness
• An expert witness is a person who has a thorough knowledge of a
subject and whose credentials can convince others to believe his or
her opinions on that subject in a court of law

18. Testifying in the court
• Presenting digital evidence in the court requires knowledge of new,
specialized, evolving and sometimes complex technology

19. Computer forensics Service Providers
• www.compforensics.com
• www.forensic.com
• www.burgessforensics.com
• Global digital forensics
• etc

21. Thank You
For Your Patience