This document provides an outline for an introductory course on computer forensics. It discusses key steps in forensic investigations, the roles of forensic investigators, accessing forensic resources, the role of digital evidence, understanding corporate investigations, legal issues, and reporting results. The roles of investigators are to confirm compromises, determine damage extent, answer questions, gather evidence, analyze data, and present evidence in court. Legal issues for investigators include ensuring authenticity, reliability, and completeness of evidence so it is admissible in court.

1. Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

2. Outline
• Key Steps in Forensics Investigation
• Roles of Forensics investigator
• Accessing Computer forensics Resources
• Role of Digital Evidence
• Understanding Corporate Investigation
• Legal Issues
• Reporting the Result

3. Key Steps in Forensics Investigation [CHFI]

4. Key Steps in Forensics Investigation [CHFI]

5. Roles of Forensics Investigator
• Confirms the compromise
• Determines the extent of damage
• Answers the WH questions
• Gathers evidence in a forensically sound manner
• Analyzes the evidence data found and protects it from damage
• Prepares the analysis report
• Presents acceptable evidence in the court

6. Accessing Computer Forensics Resources
• You can obtain resources by joining various discussion groups such as:
• Computer Technology investigators
• High Technology Crime investigation Association
• Joining a network of computer forensic experts and other
professionals on social media, blogs, websites etc
• News devoted to computer forensics can also be a powerful resource
• Other resources
• Journals of forensics investigation
• Actual case studies

7. Role of Digital Evidence [CHFI]

8. Understanding Corporate Investigations
• Involve private companies who address company’s policy violations
and litigation disputes
• Company procedures should continue without any interruption from
the investigation
• After the investigation, the company should minimize or eliminate
similar litigations
• Industrial espionage is the foremost crime in corporate investigations

9. Approach to Forensics Investigation: A Case
Study
1. An incident occurs in which the company’s server is compromised
2. The client contacts the company’s advocate for legal advice
3. The advocate contacts an external forensic investigator
4. The forensic investigator prepares first response of procedures
5. The forensic investigator seizes the evidence at the crime scene and
transports it back to the forensics lab
6. The forensics investigator prepares the bit-stream images of the file
7. The forensic investigator creates the hash of the files

10. Continued….
8. The forensics investigator examine the evidence files for proof of a
crime
9. The FI prepares investigation reports, concludes the investigation
and enables the advocate to identify the required proofs
10. The FI handles the sensitive report of the client in a secure manner
11. The advocate studies the report and might press charges against
the offensive in the court of law
12. The forensic investigator usually destroys the evidence

11. Legal Issues
• It is not always possible for a computer forensics expert to separate
the legal issues surrounding the evidence from the practical aspects
of the computer forensics
• Examples: the issues related to
• Authenticity
• Reliability
• Completeness
• convincing

12. Continued…..
• The approach of investigation diverges with changes in technology
• Evidence shown is to be untampered with and fully accounted for,
from the time of collection to the time of presentation to the court;
hence, it must meet the relevant evidence laws

13. Reporting the Results [CHFI]

14. Thank You
For Your Patience