More Related Content
Similar to File000166 (20)
More from Desmond Devendran
More from Desmond Devendran (12)
File000166
- 2. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: The Dangers of Do-It-
Yourself Computer Forensics
As Do-It-Yourself or “DIY” becomes a more common practice at law firms, it is becoming more important to
evaluate the risks associated with doing certain things yourself. Eric Shirk examines the dangers of using
DIY for computer forensics and suggests alternatives that are safer for your firm.
A Do-It-Yourself, or “DIY,” trend has permeated the legal industry when it comes to electronic discovery and
litigation consulting services. In an effort to reduce costs, law firms and corporations are building internal
teams to rely less on outside vendors, with varying degrees of success. However, certain DIY missions in
litigation are fraught with peril and should be carefully examined. Such is the case with computer forensics,
the discipline of digital evidence gathering and examination, which often culminates in expert testimony in a
court of law.
Computer forensics and the collection of digital evidence is a field with its deepest roots originating in law
enforcement. Police and government investigators use various tools and techniques to mine digital
evidence, tracking down perpetrators in both criminal and civil matters. With the recent explosion of
electronically stored information (ESI) and eDiscovery in litigation, computer forensics is much more
widespread now, and the demand for skilled professionals has outpaced the supply. Electronic discovery
now appears in most cases, as e-mails have become a main form of communication, and electronic financial
transactions and money management are commonplace.
Since computer forensics services are frequently needed by legal counsel as well as corporate information
technology (IT) departments, consultants have cropped up to fill the need. Truly qualified providers have
the training and experience needed, both from a software proficiency and methodology
standpoint. However, as with any burgeoning industry, there is a range of quality among consultants and
prospective clients need to understand what they are.
Source: http://www.abanet.org/
- 3. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Computer Forensics for Lawyers
• Presenting the Case
• Functions of Lawyers
• Identify the Right Forensic Expert
• Check for Legitimacy
• What Lawyers Should Know in the Forensic Process
• Computer Forensics Cases
This module will familiarize you with:
- 4. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Computer Forensics for Lawyers
Presenting the Case
Functions of Lawyers
Identify the Right Forensic
Expert
Check for Legitimacy
What Lawyers Should Know
in the Forensic Process
Computer Forensics Cases
- 5. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computer Forensics for Lawyers
Lack for knowledge about electronic data with the experience
grounded exclusively on paper discovery, makes it hard for lawyers
to meet the challenge of digital data discovery
The critical errors can be avoided in the first place if the lawyers gain
a fundamental understanding of how a computer stores data and the
file management system
- 6. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Initial Information to be Known by
Lawyers When an Incident Occurs
Details and type of the incident occurred
Date and time of the incident’s occurrence
Any tampering done with the incident
Actions taken after an incident
Information about the person who first identified the incident
Any loopholes found at the incident area
Information about the person who has access to the system and the
one who had accessed it last
- 7. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Presenting the Case
This is a chance for the attorney to convince the judge that all
measures have been taken to protect the computer in use, all data is
recovered and the findings printed
To be prepared to instruct the court, examine and choose a
computer forensics effort, understand and advise your clients
about “safe” data practices
Have a working knowledge of how a computer stores data, and
about where and how data resides after it is deleted
Request the court to issue an order requiring the party in
possession of the computer to refrain from any action that may
impair the ability to recover latent or dynamic data
- 8. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What Lawyers Should Know
Firewall basics
Network configuration
Basic understanding of the e-mail’s infrastructure
Warning Banners, logging, and monitoring
Security policy
Back-up process and technologies
Types of computers and other electronic media
• Laptop, PDA, personal computer
- 9. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Functions of Lawyers
Study the client's document retention policies and data retention architecture
Provide a “litigation hold” for all relevant information with regular alerts when there is a chance of
litigation
Recognize the key players and IT personnel and directly communicate with them to ensure compliance
and complete understandings
Ask the relevant employees to submit electronic and hard copies of files
Verify the files, electronic records, laptops, backup media, etc.
Stop routine record management, recycling policies, and automatic deletion
Take control over unauthorized access and tampering
- 10. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
When Do Lawyers Really Need
to Hire a Forensic Expert?
In matters involving a credible allegation of negligence or intentional destruction,
or concealment, of electronic information
In circumstances where it is likely that relevant and discoverable data exists, but
is accessible only through the use of forensic restoration techniques
- 11. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Identify the Right Forensic
Expert
Is the examiner certified?
How much experience does he have in computer forensics?
How experienced is he/she as an expert witness?
What are his/her service charges?
Does he/she has the knowledge of federal rules of evidence
Is he/she trained in evidence handling, investigation techniques, and information
recovery tools?
Does he/she possess the ability to identify the system’s role in the event and can he
develop a refined approach to find evidence?
- 12. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Industry Associations Providing
Expert Forensic Investigators
International Association of Computer Investigative Specialists (IACIS)
High Technology Crime Investigation Association (HTCIA)
High Tech Computer Network (HTCN)
Computer Forensics Tool Testing (CFTT)
Federal Law Enforcement Training Center (FLETC)
Seized Computer Evidence Recovery Specialist (SCERS)
Treasury Computer Forensic Training Program (TCFTP)
Federal Bureau of Investigation (FBI)
- 13. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check for Legitimacy
Check whether an incident has actually occurred
Check whether the investigating team who perform forensics are experienced and
certified or not
Ensure that the evidence is legally accepted
Make sure that forensics is performed within the policies and procedures
Ensure that individuals who serve as evidence are genuine
Check whether the documentation speaks same as that of the forensic process
Check that no extra information or evidence without any relation to the case is
included in the final report to the court
- 14. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What Lawyers Should Know in
the Forensic Process
Law and policies followed in the forensic process
Information from the first responder
Understanding file systems
Data acquisition and duplication
Incidents handled
Tools used in computer forensics
Deleted files and partitions recovered
Application password cracking
Network forensics and investigating logs
Network Traffic, wireless attacks, web attacks, and DoS attacks
Trademark and copyright infringement
- 15. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What Makes Evidence
Inadmissible in the Court
Defragmenting your disk, zipping your data, or installing/uninstalling applications on your system
Overwriting backup media and swapping the file area
Disposing of machines or media
Deleting, moving, or modifying the discoverable evidence
Disk optimization
Metadata scrubbing/removal
- 16. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
What Lawyers Should Expect
from Forensic Examiner
Document equipment such as hard disk drives along with their model, operating system and version, and
file catalog
Collect and document data sources such as backup tapes, firewall logs, and intrusion detection logs
Protect secure items such as notepads, papers, photos, books, and other materials gathered from the
suspect’s office
Develop a chain of custody that proves both physical and electronic evidence have been stored in its
original state
Recognize system relationship to the event and developing an approach for finding evidence
Locate and document the evidence
- 17. EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Lack for knowledge about electronic data with the experience grounded
exclusively on paper discovery, makes it hard for lawyers to meet the
challenge of digital data discovery
To be prepared to instruct the court, examine and choose a computer
forensics effort, understand and advise clients about “safe” data practices
Provide a “litigation hold” for all relevant information with regular alerts
when there is a chance of litigation
Ensure that no extra information or evidence without having any relation to
the case, is included in the final report to the court