Investigation interviews are an important part of digital forensic investigations but require experience to obtain confessions. Before starting interviews, investigators must thoroughly research the facts of the case and background information on interview subjects. During interviews, investigators should carefully question subjects while following proper methodology and recording all discussions to maintain legal defensibility.
Learning Objectives:
1. Understand how this unique, emergent form of evidence can be used for criminal investigations and civil litigation e-discovery.
2. Discover the DoJ memo to law enforcement uncovered by FOIA stressing why and how to use social media in criminal cases.
3. See social media evidence recovered from smart phones, personal computers, and the cloud.
4. Learn the ethics of social media evidence collection including what you can and cannot do, if you want to keep your license that is.
UNIT-II Initial Response and forensic duplication, Initial Response & Volatile Data Collection from Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic Duplication: Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive
Forensics analysis and validation: Determining what data to collect and analyze, validating forensic data, addressing data-hiding techniques, performing remote acquisitions Network Forensics: Network forensics overview, performing live acquisitions, developing standard procedures for network forensics, using network tools, examining the honeynet project.
Learning Objectives:
1. Understand how this unique, emergent form of evidence can be used for criminal investigations and civil litigation e-discovery.
2. Discover the DoJ memo to law enforcement uncovered by FOIA stressing why and how to use social media in criminal cases.
3. See social media evidence recovered from smart phones, personal computers, and the cloud.
4. Learn the ethics of social media evidence collection including what you can and cannot do, if you want to keep your license that is.
UNIT-II Initial Response and forensic duplication, Initial Response & Volatile Data Collection from Windows system -Initial Response & Volatile Data Collection from Unix system – Forensic Duplication: Forensic duplication: Forensic Duplicates as Admissible Evidence, Forensic Duplication Tool Requirements, Creating a Forensic. Duplicate/Qualified Forensic Duplicate of a Hard Drive
Forensics analysis and validation: Determining what data to collect and analyze, validating forensic data, addressing data-hiding techniques, performing remote acquisitions Network Forensics: Network forensics overview, performing live acquisitions, developing standard procedures for network forensics, using network tools, examining the honeynet project.
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Presentation detailed about SDN (Software Defined Network) overview . It covers from basics like different controllers and touches upon some technical details.
Covers Terminologies used, OpenFlow, Controllers, Open Day light, Cisco ONE, Google B4, NFV,etc
INTRODUCTION TO COMPUTER FORENSICS
Introduction to Traditional Computer Crime, Traditional problems associated with Computer Crime. Introduction to Identity Theft & Identity Fraud. Types of CF techniques – Incident and incident response methodology – Forensic duplication and investigation. Preparation for IR: Creating response tool kit and IR team. – Forensics Technology and Systems – Understanding Computer Investigation – Data Acquisition.
A Pilot study on issues and complexity of digital forensics and how digital forensics can be applied in a live environment without the loss or spoilage of valuable data and evidence
Types of Computer Forensics Technology, Types of Military Computer Forensic Technology, Types of Law Enforcement, Computer Forensic Technology, Types of Business Computer Forensic Technology, Specialized Forensics Techniques, Hidden Data and How to Find It, Spyware and Adware, Encryption Methods and Vulnerabilities, Protecting Data from Being Compromised Internet Tracing Methods, Security and Wireless Technologies, Avoiding Pitfalls with Firewalls Biometric Security Systems
Presentation detailed about SDN (Software Defined Network) overview . It covers from basics like different controllers and touches upon some technical details.
Covers Terminologies used, OpenFlow, Controllers, Open Day light, Cisco ONE, Google B4, NFV,etc
Assignment 1 ) ----- Portfolio Assignments
Preface
Listed below are areas of concentration for MSDF-630 202 Portfolio Assignment. Keep in mind that the portfolio research concentration is an essential segment of the course. Two research topics are created for you, and I hope that your professional effort will be represented in this project. Portfolio projects consist of the following three unique phases:
Profile.
Research Question 1
Investigation of Alabi, Time as Alibi and Location as Alibi.
Research Question 2.
Cybercrime Law, Computer-Integrity Crime, Fraud, and Abuse.
Portfolio Project
Profile: Required
Group 1. Research Question 1
Group 2. Research Question 2
Group 3. Research Question 1
Group 4. Research Question 2
Each student Must submit two (2) successful completed documents (here):
Profile
Collaborative Group Assignment.
Phase 1: Student Professional Profile
Portfolio
Full-Name
Profile
Status: Graduate or Post-graduate
Academic areas concentration
Current Professional Career Path
Professional Career Path Completion Upon successful completion of your studies at the University of the Cumberlands.
Research Question 1.
Investigation of Alabi, Time as Alibi and Location as Alibi.
Preamble
Alibi is a Latin acronym, meaning somewhere else and someone other than the culprit. A scenario that identifies the perpetrator of a crime to be someone or somewhere else other than where the crime took place. Criminal activities involving location, login and logout time, illegal behaviors, can be easily tracked by use computer and internet technologies.
Offenders and their Alabi are often naive and ignore the fact that telephone companies always keep records of the number dialed, the time and duration of the call, and caller's number.
Offenders and their Alabi are oblivious and unaware of the fact that credit card corporations keep records of the dates, times, and locations of all purchases, banks keep track of the dates, times, and locations of all deposits and withdrawals, and dates, times, and locations reside on computers for an indefinite period. Customers receive a report each month with detailed information in the form of a bill and financial statement.
Offenders and their Alabi are often neglectful of the fact that when an e-mail message is sent, the time and originating internet protocol (IP) addresses are noted in the header and log files that contain information of the past and current activities.
Forensic investigator must be vigilant at all times and try to acknowledge and recognize criminal Modus Operandi (MO) motive, intent, and ability to manipulate and change contents of the conclusive evidence and create false Alibi to amplify deceitful schemes. During the investigation of an alibi, the first step is to secure access to the data and information on the computer workstations, file servers, protocol, and network system.
BOOTP is the computer network designed to control .
This chapter provides a general introduction of Computer Forensics. After defining what Computer forensics is all about, the notion of computer crimes is presented. An evaluation of people that can make use of Forensics is also discussed. It contains the steps to follow for a Computer Forensics process. The chapter put an emphasis on ANTIFORENSICS to show the threat in the development of this scientific computer domain.
Crime and violence are inherent in our political and social system. With the moving pace of technology, the
popularity of internet grows continuously, with not only changing our views of life, but also changing the
way crime takes place all over the world. We need a technology that can be used to bring justice to those
who are responsible for conducting attacks on computer systems across the globe. In this paper, we present
various measures being taken in order to control and deal with the crime related to digital devices. This
paper gives an insight of Digital Forensics and current situation of India in handling such type of crimes.
Similar to Chap 2 computer forensics investigation (20)
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Democratizing Fuzzing at Scale by Abhishek Aryaabh.arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Courier management system project report.pdfKamal Acharya
It is now-a-days very important for the people to send or receive articles like imported furniture, electronic items, gifts, business goods and the like. People depend vastly on different transport systems which mostly use the manual way of receiving and delivering the articles. There is no way to track the articles till they are received and there is no way to let the customer know what happened in transit, once he booked some articles. In such a situation, we need a system which completely computerizes the cargo activities including time to time tracking of the articles sent. This need is fulfilled by Courier Management System software which is online software for the cargo management people that enables them to receive the goods from a source and send them to a required destination and track their status from time to time.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Vaccine management system project report documentation..pdfKamal Acharya
The Division of Vaccine and Immunization is facing increasing difficulty monitoring vaccines and other commodities distribution once they have been distributed from the national stores. With the introduction of new vaccines, more challenges have been anticipated with this additions posing serious threat to the already over strained vaccine supply chain system in Kenya.
2. CONTENT
• Introduction
• Overview of a Computer Crime
• Digital Investigation Triad
• Initiating Computer crimes investigations
• Some investigations procedures in Corporate environment:
- Employee termination case :Internet abuse
- Employee termination case :Email abuse
- Attorney-Client Privilege investigation (ACP) case
- Media Leak investigations case
• Initiating Interviews in Digital Forensics Investigations
• Interview Methodology
• Investigation Interview Recording
• Investigating a Computer Crime Scene: Electronic devices (Type and Potential evidence)
• Conducting the Investigation on an item
• Precautions to take during Investigation
• The copying Process
• Finalizing the investigation Case
• Conclusion
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
3. INTRODUCTION
• Digital forensics investigation of a Computer is a unique process that comes with so many
challenges:(Understand how computers manipulates bits values - 0 and 1, mastering operating systems,
computer hardware, network operation, etc.)
• Investigation is the act or process of investigating or the condition of being investigated.
• Computer investigation is about conducting systematic search of digital evidence where data are
collected in the most secured and efficient manner.
• Forensics professionals gather evidence to prove that a suspect committed a crime or
violated a company policy.
• Remember: Digital Forensics is not Data recovery
• The success of an investigation operation relies on how good we understand what we are looking
for and how efficient we are in the process of looking for it.
• Investigation of digital devices generally includes:
COLLECTING DATA SECURELY
OBSERVATION AND EXAMINATION OF SUSPECTED DATA
PRESENTATION OF COLLECTED DATA REPRESENTED AS DIGITAL INFORMATION TO COURTS
MAKING USE OF LAWS RELATED DIGITAL EVIDENCE PRACTICES
• Action of conducting a computer investigation therefore require to follow an accepted procedure
• A good case is ensured based on the validity of the Chain of evidence and Chain of Custody
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
4. OVERVIEW OF A COMPUTER CRIME
How do we characterize a crime as “ COMPUTER CRIME” ?
• Computer is used as instrument to further illegal ends, such as
committing fraud, trafficking in child pornography and intellectual property,
stealing identities, or violating privacy.
• Four major categories of computer crimes:
Internal Computer crimes: trojan horses, logic bombs, trap doors,
worms, and viruses
Telecommunication related crimes: phreaking and hacking
Computer manipulation crimes that result in embezzlement and fraud:
used of computer to manipulate financial statement
Traditional thefts of hardware and software
- UP to NOW: Slow implementation / adoption of Laws related to computer
crimes by governments.
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
5. SO, majors perpetrators of computer crimes includes:
• Hackers.
• Crackers.
• Malicious insider.
• Industrial spies.
• Cybercriminals.
• Hacktivist.
• Cyber terrorists.
Computer crimes today are so prevalent because:
- Complexity of systems drop in the mastering of the computer and network environment
- Poor implementation of security policies
- Rapid technological advancements
- Slow /delay in getting soft and hardware fixes (repairs)
- Better mastering of physical crimes push criminal to try other means
OVERVIEW OF A COMPUTER CRIME (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
6. • Computer crime includes cases in which the computer is the tool, the target, or is
incidental to the offense.
Practical case example
“In a recent case where a computer was used as a tool in the Crime, SEARCH assisted the Long
Beach (California) Police Department with the forensic examination of two seized
microcomputers. The computers were allegedly used by a gang involved in a payroll check
counterfeiting operation that resulted in the loss of millions of dollars to two major banking
institutions. The suspects used computer imaging technology and high-resolution scanners
and printers to replicate payroll checks”. (kelly, 1995)
• It means computers crimes contain information that helps law enforcement determine :
- chain of events leading to a crime,
- Evidence that can lead to a conviction.
Note: Digital evidence can easily be altered by a careless investigator. Be mindful
to respect procedures !
OVERVIEW OF A COMPUTER CRIME ( Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
7. Digital investigation Triad
• Investigators in charge of Forensics often work as a team Known
as the investigation Triad.
Source: Retrieved from https://doi.org/10.1016/j.diin.2015.07.004
8. Digital investigation Triad (Cont…)
Forensics Investigation need to be conducted with CIA principle in mind. The integrity of Data must be
preserve, making the discovery confidential much as possible and available accordingly to how it will be
presented and accepted in Court.
The digital Forensics Triad is made of Three Main Pillars:
VULNERABILITIES/Threat Assessment and Risk Management: consist of activity such as testing
and verifying the integrity of stand-along Workstations and network servers
Network Intrusion Detection and Incidence response: Detects intruders attacks with automated
tools and monitoring network firewall logs
Digital investigations: properly managed investigation and launching of forensics analysis of any
system suspected to contain potential evidence.
The CIA triad
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
9. Initiating Computer crimes investigation
What should be the behavior of Investigators towards evidences of
the crime scene ?
• Handling electronic evidence at the crime scene during investigation consist
of:
◆ Recognition and identification of the evidence.
◆ Documentation of the crime scene.
◆ Collection and preservation of the evidence.
◆ Packaging and transportation of the evidence.
Prior to these steps
• Necessary legal authority to search for and seize the
suspected evidence must be obtained
• The crime scene must be secured and documented (photographically and/or
by sketch or notes).
• Must use Crime scene protective equipment (gloves, etc.)
Note: Always remember to consult your local prosecutor before
accessing stored data on a device. Because of the fragile nature of
electronic evidence, examination should be done by appropriate
personnel.
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
10. What are the considerations when planning for an
investigation ?
A basic investigation plan therefore consist of:
Acquiring the evidence
Preparing an evidence form and establishment of a chain of custody
Transportation of the evidence to a computer forensics lab
Placing the evidence in a secure environment ( Container)
Preparing a forensics workstation
Obtaining the evidence from the secure milieu where it was placed
Making a forensic copy of the evidence
Returning the evidence in the secure milieu
Processing of the copied evidence with the use of computer forensics
tools
Initiating Computer crimes investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
11. Notes:
• Evidence custody form document will help in documenting what
has been done with the original evidence and his forensics copies
• The single evidence form will list each piece of evidence in a
separate page. The Multi-evidence form will be use otherwise
• The evidence bags should be used to catalogue the evidences.
• Preferably, products used should be safe (use anti-static bags, etc.)
• Use well padded containers
• All openings should be seal with a tape ( floppy disk, Power supply
cord, etc.)
• Write your initial on tape to prove that evidence has not been tampered
with
Initiating Computer crimes investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
12. Presentation of some important investigation forms
Initiating Computer crimes investigation(Cont…)
• Chain of evidence Form (Form that details all evidence collected with their specifications)
• Chain of custody form (form that details how the evidence was handled every step of the way)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
13. • Multi-evidence form
• Single -evidence form
Initiating Computer crimes investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
14. Investigating an Employee Termination case
• Most of investigations for termination cases involve employee abuse for
corporate assets.
• Also, issues such as harassment, visiting prohibited websites while at
work
• Harassment case: people have to leave their work resulting in
significant cost on both side ( employee and employer)
Consequence
- lost of productivity
- retraining need of new staff
- Wrongful termination lawsuits
- Impact on company culture, workplace morale, brand reputation
affected
So…
Need to conduct investigation on allegations and report to internal
stakeholders for appropriate action to be taken
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
15. Investigating Termination based on Internet abuse
• Need to:
Access organization’s internet proxy logs
Suspect computer’s IP addresses
Suspect computer’s disk drive
And make use of your most reliable computer forensics tools
Steps to take will therefore involve:
Making use of standard forensics analysis techniques and procedures
Using appropriate tools to extract all web page URL information (
example: Magnet.AI tool)
Contacting the network administrator and request a proxy server log
Comparing the data recovered from forensic analysis to the proxy
server log
And, proceed with the analysis of the computer disk drive data
Investigating an Employee Termination case (Cont…)
16. Investigating Termination based on E-mail abuse
Need to:
Acquire an electronic copy of the offending e-mail that contains message
header data
also, if possible, acquire email server logs records
- if the e-mail system store user’s messages on a central server, get access to
that server
Gain access to the computer for you to conduct forensics analysis on it
Then, remember to always go for the most reliable forensics analysis
tools
Steps to take will therefore involve:
use the standard forensics analysis techniques
Get an electronic copy of the suspect’s and victims e-mail folder or data
For web-based email investigations, you can use tools such as FTK’s Internet
Keyword Search option to extract all related e-mail address information
Examine header data of all messages of interest to the investigation
Investigating an Employee Termination case (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
17. Attorney-Client Privilege (ACP) Investigation
For investigation related to ACP, one important factor
You must maintain all findings confidential
Also:
many attorney like to have printouts of the data you have recovered. So, there is a need to persuade
and educate many attorneys on how digital evidence can be viewed electronically
Remember: you may face difficulties if you find data in the form of binary files
The steps involve in conducting ACP investigation are:
making a request of a memorandum from the attorney directing you to start the investigation
Requesting a list of keyword of interest to the investigation
Initiate the investigation and analysis
If there is a need to examine a disk, make two bit stream images using different tools
Compare hash signatures on all files on the original and re-created disks
Do a methodic examination of every portion of the disk drive and extract all data
Run Keyword searches on both allocated and unallocated disk space
Analyze and extract data from the registry using tools such as Registry Viewer 2.o ( Access data
registry viewer)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
18. Identify the correct software product for binary data files such as CAD
drawings
It is advisable to use a tool that removes or replaces non printable data
for unallocated data recovery ( SIFT tool-Linux)
Consolidate all recovered data from the evidence bit-stream image
into folders and subfolders
Besides:
- Much as required, minimize written communications with the
attorney!
Note: Any document to the attention of the attorney must contain a
header stating “ Privileged Legal Communication-Confidential
Work Product”. Always keep an open line of verbal communication.
- Encryption should be use if you need to communicate via e-mail
Attorney-Client Privilege (ACP) Investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
19. It is important to know that having a control on sensitive data can be difficult. So..
• Consider for this case to:
Examine e-mail
Examine Internet message boards
Examine proxy server logs
Examine known suspects’ workstations
Examine all company telephone records, looking for calls to the media
Steps to take for media leaks involve:
Conduct Interview management privately to get a list of employees who have direct
knowledge of the sensitive data
Identify media source that published the information
Review company phone records
Obtain a list of keywords related to the media leak
Perform keyword searches on proxy and e-mail servers
Conducting a Media Leak Investigation
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
20. Discreetly conduct forensic disk acquisitions and analysis
From the forensic disk examinations:
- Analyze all e- mail correspondence And trace any sensitive
messages to other people
- Expand the discreet forensic disk acquisition and analysis
- Consolidate and review your findings periodically
- Routinely report findings to management
Conducting a Media Leak Investigation (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
21. All suspected industrial espionage cases should be treated
as criminal investigations
A need to constitute a dedicated Staff made of:
Computing investigator: responsible for disk forensic
examinations
Technology specialist: knowledgeable of the suspected
compromised technical data
Network specialist: perform log analysis and set up network
sniffers
Threat assessment specialist (typically an attorney)
Conducting an Industrial espionage investigation
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
22. To conduct investigation on this type of case:
• Find out whether this investigation involves a possible industrial
espionage incident
• Ensure to consult with corporate attorneys and upper
management
• Determine what information is needed to substantiate the
allegation
• Generate a list of keywords for disk forensics and sniffer
monitoring
• List and collect resources for the investigation
Conducting an Industrial espionage investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
23. • Determine goal and scope of the investigation
• Initiate investigation after approval from
management Planning considerations
• Examine all e-mail of suspected employees
• Search Internet newsgroups or message boards
• Initiate physical surveillance
• Examine facility physical access logs for sensitive
areas
Conducting an Industrial espionage investigation(Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
24. After implementing the above guideline, you need to Plan for your
investigation
• Determine suspect location in relation to the vulnerable asset
• Study the suspect’s work habits
• Collect all incoming and outgoing phone logs Steps
• Gather all personnel assigned to the investigation and brief them on the plan
• Gather resources to conduct the investigation
• Place surveillance systems
• Discreetly gather any additional evidence
• Collect all log data from networks and e-mail servers
• Report regularly to management and corporate attorneys
• Review the investigation’s scope with management and corporate attorneys
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
Conducting an Industrial espionage investigation(Cont…)
25. • Investigations interviews require experience.
• Why ?
• To easily obtain confession from a suspect is not an easy task !.
• Interviews are done to collect information from a witness or suspect about specific
facts related to an investigation.
• A digital forensic investigator will be interested in gathering information and
conducting interviews regarding computer crime, child pornography, fraud,
hacking, and other digital crimes.
• Before starting the interview process :
- Investigators must know potential facts of the case and background
information on the victim or perpetrator to be interviewed
- know victims’ or perpetrators’ personal information, prior-criminal
sentences, and professional status
- The purpose here is to develop a methodology to create a standardized interview
method and to try to build relationships and connections with interviewee.
Note: There is no standard interview method. It all depends of the type of
crime to investigate (fraud, hacking…)
Initiating Interviews in Digital Forensics investigations
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
26. • Therefore, Different interview techniques exist but interviews usually should try to answer
simple questions such as: who, when, where, what, how, and why.
• Remember: The initial interview is typically the best chance to collect basic
evidence. Also, Interviewers must be patient and persistent through the interview
process.
• While waiting to define which technique to use for the computer-related crime:
evaluate computer skills ability of the suspect to avoid being confused by perpetrators
or victims who could possibly have higher computer knowledge
computer knowledge of the perpetrators should be evaluated based on other evidence
gather as much as possible details regarding the hardware and software that
perpetrator was using.
Also gather details concerning the victim ( Especially if it involve a child)
besides, gather information such as: perpetrator’s user name, online profile, ISP,
email account information, time of connectivity online.
Chap 2- Computer Forensics
Investigations, By Cyrille Lottin-
2020
Initiating Interviews in Digital Forensics investigations (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
27. • The interview process can effectively start once information necessary for the
interview is gathered.
But, before you start, make ready:
- Privacy Act Statement
- List of official papers from interviewee
- Checklist with information gathered prior the interview
- List of questions
- Copies of all official papers planned to show to the perpetrator or victim
- the method used to record the interview
Be mindful that:
- Interview should be conducted in a peaceful and comfortable setting
- Use personal names to relax the tension and start building a good “rapport” with the interviewee. A
good relationship from start help in achieving GOOD RESULT
- Don’t use a heavy-handed approach that enforces your authority ( NO NEED !)
- For child case, ensure to prepare the child moral ahead of the interview
- Be a good listener and observer
- DO NOT COMPLETE interviewee sentences. If you don’t get it, reformulate until both are on the page
- Adopt an open ended approach prior to the YES/NO format
Interview Methodology
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
28. The following step should be taken to conduct investigations interviews:
1. Welcome the victim in a pleasant way
2. Be comfortable and friendly to calm the victim (in the case of a child victim, the interviewer must be
extremely cautious not to disturb the child)
3. Introduce yourself
4. Explain to the victim the reason for the visit
5. Clarify the significance and importance of the victim’s testimony to the case
6. Check the victim’s name, current address, phone numbers, and occupation
7. Ask the victim to tell the story as a narrative
8. Do not interrupt; listen, and take brief notes very cautiously on what the victim says
9. Observe the victim’s behavior and body movement
10. Try to be emphatic to motivate the victim
11. Ask additional questions relevant to the case when the victim finishes the narrative, starting with
general questions, and moving toward more specific questions
12. Ask specific questions, if child exploitation is involved, about the location of the crime, methods, and
any existing computers and other devices
13. Compare the victim’s statement with other statements, if they exist
14. Review contradictions, and, if the victim is a cooperative, present them to the victim
Interview Methodology (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
29. Interview Process for the case of a Child abuse for computer related crimes – Source: (Edita Bajramović, 2014)
Interview Methodology (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
30. Investigation Interview Recording
• Very important element of digital forensic investigations
• NEED to be accurate
• An interview record can create the foundation for investigative case management
conclusions.
• Interview record can be used as evidence in some jurisdictions
• To determine which recording technique to use, think about:
- Cost
- Logistics
- The possible effect on those interviewed
- Any lawful requirements affecting the interview’s acceptability
Interview recording techniques for computer related crimes – Source: (Edita Bajramović, 2014)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
31. INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence)
• Electronic evidence can be found in many of the new types of
electronic devices available Today.
• There is a wide variety of the types of electronic devices commonly
encountered in crime scenes.
Remember: Many electronic devices contain memory that
requires continuous power to maintain the information (battery or AC
power). Data can be easily lost by unplugging the power source
or allowing the battery to discharge.
Note: After determining the mode of collection, collect and
store the power supply adaptor or cable, if present, with the
recovered device
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
32. Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Computer crime scene– Source: (CHFI, 2010)
33. Investigating Computer Systems
• Consists of a main base unit (CPU), data storage devices, a monitor, keyboard, and mouse.
• may be a standalone or it may be connected to a network (laptops, desktops, tower systems, modular rack-
mounted systems, microcomputers, minicomputers, supercomputers and mainframe computers).
• Additional components include modems, printers, scanners, docking stations, and external
data storage devices
Primary use: Computation and Information Storage
Potential Evidence: commonly found in files that are stored on hard
drives and storage devices and media.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
34. Investigating Computer Systems
• Example: User-Created Files
Can contain important evidence of criminal activity such as:
- Address books and database files (may prove
criminal association)
- Existing or moving pictures (may be evidence of pedophile activity),
- Communications between criminals (e-mail or letters).
- Drug deal lists may often be found in spreadsheets.
Investigator should look at:
◆ Address books.
- ◆ E-mail files.
◆ Audio/video files. ◆ Image/graphics files.
◆ Calendars. ◆ Internet bookmarks/favorites.
◆ Database files. ◆ Spreadsheet files.
◆ Documents or text files.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
35. Investigating Computer Systems
Example: User-Protected Files
• Users can hide evidence in a variety of forms
• They may encrypt or password-protect data that are important to them.
• They may also hide files on a hard disk or within other files or deliberately hide incriminating evidence files under
an innocuous name
Investigator should also focus on:
◆ Compressed files. ◆ Misnamed files.
◆ Encrypted files. ◆ Password-protected files.
◆ Hidden files. ◆ Steganography.
Remember that:
- Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and
examined
- Evidence can also be found in files and other data areas created as a routine function of the computer’s
operating system
- In most cases, the user is not aware that data are being written to these areas.
- There are components of files that may have evidentiary value including the date and time of creation, modification,
deletion, access, user name or identification, and file attributes .
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
36. Investigating Computer Systems
Example: Computer created files and other Data Areas
Evidence can also be found in files created by the computer himself and other areas
Investigators should check:
◆ Backup files. ◆ Log files.
◆ Configuration files. ◆ Printer spool files.
◆ Cookies. ◆ Swap files.
◆ Hidden files. ◆ System files.
◆ History files. ◆ Temporary files.
And
◆ Bad clusters.
◆ Computer date, time, and password.
◆ Deleted files.
◆ Free space.
◆ Hidden partitions.
◆ Lost clusters.
◆ Metadata.
◆ Other partitions.
◆ Reserved areas.
◆ Slack space.
◆ Software registration information.
◆ System areas.
◆ Unallocated space.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
37. • Read Chapter 1 of the book:
Computer Hacking Forensics Investigators (CHFI),
Computer Forensics, Investigating Hard disks, File and
Operating System, Eccouncil, 2010. PDF format
• Evaluate other Computers systems components and Network
entities that can be submitted to the investigation process.
• Take note of Potential sources of evidence during investigation.
• Generate a table that describes each component with the possible
evidence that can be found.
INVESTIGATING A COMPUTER CRIME SCENE: Electronic Devices (Types and
Potential Evidence) (Cont…)
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
38. • Gather resources identified in investigation plan Items
needed.
That is:
–>Original storage media
–>Evidence custody form
–>Evidence container for the storage media
–>Bit-stream imaging tool
–>Forensic workstation to copy and examine your evidence
–>Securable evidence locker, cabinet, or safe
Conducting the investigation Generally on an item
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
39. During Gathering of the Evidence, They are steps you may
take to avoid damaging the evidence:
• –>Meet the IT manager to interview him
• –>Fill out the evidence form, have the IT manager sign
• –>Place the evidence in a secure container
• –>Complete the evidence custody form
• –>Carry the evidence to the computer forensics lab
• –>Create forensics copies (if possible)
• –>Secure evidence by locking the container
• Process the copied evidence with computer forensics tools
Precaution to take during investigation to avoid
destroying evidence
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
40. One Important Task during investigation: the
copying process
One important rule of computer forensics investigation is to
Preserve the original evidence!
Remember: Conduct your analysis only on a copy of the
data!
DO Bit-Stream Copies
Performs a bit-by-bit copy of the original storage medium
Copy obtain is the exact copy of the original disk
Copy image file to a target disk that matches the original disk s manufacturer,
size and model Original disk with image Target disk
Different from a simple backup copy
Backup software only copy known files
and, Backup software cannot copy deleted files or e-mail messages, or
recover file fragments
Tools: ProDiscover Basic, FTK Imager, Linux dd command 5
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
41. At the end of your investigation, You need to produce a
final report.
Here, you must:
State what you did and what you found
Include report generated by your forensic tool to document your
work Repeatable findings
Repeat the steps and produce the same result, using different
tools
If required Use a report template
Report should show conclusive evidence : Did the suspect
commit the crime or not, or violate a company policy->
Your opinion
Finalizing the Investigation Case
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
42. • At the end of your investigation, you need to critique the Case.
Ask yourself the following questions:
How could you improve your performance in the case?
Did you expect the results you found?
Did the case develop in ways you did not expect?
Was the documentation as thorough as it could have been?
What feedback has been received from the requesting source?
Did you discover any new problems? If so, what are they?
Did you use new techniques during the case or during research?
Finalizing the Investigation Case
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
43. • Digital forensics investigation of a Computer is a unique process
that comes with so many challenges.
• The success of an investigation operation relies on how good we
understand what we are looking for and how efficient we are in
the process of looking for it.
• Action of conducting a computer investigation therefore require to follow
an acceptable procedure
• From the acquisition of evidence to the Processing of the copied evidence
with the use of computer forensics tools, Computer Forensics investigation
contribute in fighting the growth of digital crimes.
• Remember any digital device can be a source of evidence. Only perspicacity
in conducting the forensics investigation process can ensure good result.
• It therefore depend on how much you are equipped and the various
forensics tools used in your forensics laboratory.
CONCLUSION
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
44. GROUP WORK ASSIGNMENTs
PRESENTATION
In order to familiarize with various forensics Tools,
1. Download Forensics Toolkit (FTK) following this URL:
https://accessdata.com/product-download/forensic-toolkit-ftk-version-6-
0.
2. The downloaded file will be an .iso file. Use the appropriate software to
load it in your OS (Nero, ISO opener, PowerISO, etc..).
3. Constitute a group of 6 students and specify your group Leader
4. Install this tool in an updated laptop with acceptable specifications ( Dual
core, 2GB RAM, <10GB HDD free space, Windows 10/Linux)
5. Prepare a PowerPoint presentation of this application
6. Demonstrate 2 features expressing Forensics investigation
Duration: 1h30 mn
Note: This class session will be ONSITE. Date: to be discussed in class…
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
45. PRESENTATION
• Download the PDF file: Digital Evidence and the US Criminal
Justice System here:
https://www.rand.org/pubs/research_reports/RR890.html
• Form a group of 3 students
• Prepare a PowerPoint presentation of the Content of this file
• Emphasize on Case studies elaborated to make your point
• Do a class presentation of your findings and Conclusion
• Conclude your Presentation using a Practical Forensics Tool that
demonstrate how Evidence can be manage during forensics
investigation.
• Duration: 1h30mn
GROUP WORK ASSIGNMENTs
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
46. 1- Godwin Emmanuel, Oyedokun , UNDERSTANDING FORENSIC INVESTIGATION
PROCESS (UFIP) , lecture delivered at Fraud Examination and Forensic
Investigation Workshop , 2016.
Retrieved from https://slideplayer.com/slide/7914121/
2- Computer Hacking Forensics Investigators (CHFI), Computer Forensics,
Investigating Hard disks, File and Operating System, Eccouncil, 2010
3- Computer Hacking Forensics Investigators (CHFI), Computer Forensics,
Investigating Network and Cyber Crimes, Eccouncil, 2010
4- Cardinali, Richard. Anatomy of a bug: understanding the computer
virus. Computer education, no. 74, June 1993:
QA76.27.C65 and Pamphlet box <SciRR>
5- Hartson, H. Rex. Computer security. In McGraw-Hill encyclopedia of science and
technology. v. 4. 6th ed. New York, McGraw-Hill Book Co., c1987. p. 274-276.
REFERENCES
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020
47. 6- Parker, Donn B. Crime. In Encyclopedia of computer science and technology. v.
New York, Marcel Dekker, Inc., c1977. p. 383-403.
7- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes
investigation, A guide for first responder, 2001-retrieved from
http://www.ojp.usdoj.gov
8- John Ashcroft , U.S. Department of Justice, Electronic crimes scenes
investigation, A guide for first responder, 2001-retrieved from
http://www.ojp.usdoj.gov
9- Edita Bajramović, Interview Methodology in Digital Forensics Investigations,
American University in Bosnia, Stručni rad UDC 343.9. retrieve from Conducting
effective interviews. AICPA. n.d,
http://www.aicpa.org/interestareas/forensicandvaluation/resources/practaidsguid
ance/ downloadabledocuments/10834-378_interview%20whiite%20paper-final-
v1.pdf, http://media3.novi.economicsandlaw.org/2017/07/Vol11/Bajramovic-11-
IJEAL.pdf
REFERENCES
Chap 2- Computer Forensics Investigations, By Cyrille Lottin-2020