This document provides an overview of computer forensics investigation methodology. It discusses determining if a computer crime has occurred, finding and interpreting clues, conducting a preliminary assessment to search for evidence, and searching and seizing computer equipment to collect evidence that can be presented in court. It emphasizes the importance of having workstations, building an investigating team, acquiring authorization, and assessing risks before an investigation. The core methodology includes identification, collection, analysis, and presentation of evidence, with preservation also being important. Key areas that are evaluated and secured include the scene itself as well as volatile and non-volatile data sources that could contain evidence. Principles for electronic evidence include relevance, reliability, sufficiency, and admissibility.

1. Intro to Computer Forensics
Mr. Islahuddin Jalal
MS (Cyber Security) – UKM Malaysia
Research Title – 3C-CSIRT Model for Afghanistan
BAKHTAR UNIVERSITY ‫باخترپوهنتون‬ ‫د‬

2. Outline
• CF Investigation Process
• Investigating Computer Crime
• Before the Investigation
• Computer Forensic Investigation Methodology
• Evaluate and Secure the Scene
• Electronic Evidence
• Collect the Evidence
• Principles of Electronic Evidence

3. Investigating Computer Crime
• Determine if an incident has occurred
• Find and interpret the clues left behind
• Conduct preliminary assessment to search for the evidence
• Search and seize the computer’s equipment
• Collect evidence that can be presented in the court of law or at a
corporate inquiry

4. Before the Investigation
• Have work station and data recovery lab
• Build investigating team
• Enter into alliance with a local district attorney
• Review policies and laws
• Notify decision makers and acquire authorization
• Assess risks
• Build a computer investigation toolkit
• Define the methodology

5. Computer Forensics Methodology
Identification
Collection
Analysis
Presentation

6. Computer Forensics Methodology
Identification
Collection
Analysis
Presentation

7. Computer Forensics Methodology
Identification
Collection
Analysis
Presentation

8. Computer Forensics Methodology
Identification
Collection
Analysis
Presentation

9. Computer Forensics Methodology
Identification
Collection
Analysis
Presentation
Preservation

10. CFI Methodology [CHFI]

11. Evaluate and Secure the Scene
• Forensics Photography
• Gather Preliminary information at the crime scene
• Date and Time
• Place and location of the incident
• Evidence from a volatile system and non volatile system
• Volatile data: Data that would be lost if the computer is turned off
• Hard drives and storage media
• Non-volatile: Data that remains unaffected when the computer is turned off
• Deleted files, computer history, the computer’s registry, temporary files and web browsing history
• Details of the person(s) at the crime scene
• Name and identification of the people or person who can serve as a potential
witness

12. Electronic Evidences
• What data you can retrieved?
• Any data that is recorded or preserved on any medium in or by a
computer system or other similar device, that can be read or
understand by a person or a computer system or other similar device
• Evidence is everything
• Evidence is used to establish facts

13. Where to find Evidence?
• Find the evidence, Where is it stored
• Find relevant data- Recovery
• Create order of volatility
• Collect Evidence- use tools
• Good documentation of all the actions.

14. Where to find Evidence?
• Text documents
• Graphical images
• Calendar files
• Databases
• Audio and video files
• Websites and application programs
• Even viruses, Trojan horses and spyware
• Email records
• Instant messaging logs
• etc

15. Collect the Evidence [CHFI]

16. Evidence Collection Form [CHFI]

17. Collect Electronic Evidence [CHFI]

18. Principle of Electronic Evidence
• Relevance
• Able to demonstrate that material acquired is relevant to the investigation
• Reliability
• All processes used in handling evidence is auditable and repeatable
• Sufficient
• Enough material has been gathered to allow proper investigation
• Admissible
• It must be able to be used in court

19. Thank You
For Your Patience