1 / 18

An Overview of the Digital Forensic Process Northern Cybercrime Forensics Group

An Overview of the Digital Forensic Process Northern Cybercrime Forensics Group 25 th March 2010 Presented by Sarah Lyons Synergy Forensics. What is Computer Forensics? The gathering of information and intelligence about the investigation.

ganit
Download Presentation

An Overview of the Digital Forensic Process Northern Cybercrime Forensics Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Overview of the Digital Forensic Process Northern Cybercrime Forensics Group 25th March 2010 Presented by Sarah Lyons Synergy Forensics

  2. What is Computer Forensics? • The gathering of information and intelligenceabout the investigation. • The forensic imaging and preservation ofmaterial held on computers • The analysis and investigation of materialheld on computers • The production and presentation of written and oral evidence resulting from the imaging and analysis process.

  3. ACPO Good Practice Guide for Computer-Based Electronic Evidence Principle 1 No action taken by law enforcement agencies or theiragents should change data held on a computer or storage media which may subsequently be relied upon in Court

  4. ACPO Good Practice Guide for Computer-Based Electronic Evidence Principle 2 In circumstances where a person finds it necessary toaccess original data held on a computer or on storage media, that person must be competent to do so and be ableto give evidence explaining the relevance and theimplications of their actions.

  5. ACPO Good Practice Guide for Computer-Based Electronic Evidence Principle 3 An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

  6. ACPO Good Practice Guide for Computer-Based Electronic Evidence Principle 4 The person in charge of the investigation (the case officer)has overall responsibility for ensuring that the lawand these principles are adhered to.

  7. The gathering of information and intelligenceabout the investigation. • Why am I carrying out this investigation? • Who is providing my instructions? • What are the circumstances of the allegation? • Have the computers been seized? • Are they being produced as additional evidence? • What environment have the computers come from? • Are there any legal implications to consider? • The Computer Misuse Act 1990 • The Data Protection Act 1998/2003 • The Human Rights Act 1998 • Possession of indecent images of children • ACPO Principle 4: Ensure that the law is adhered to.

  8. The forensic imaging and collection ofmaterial held on computers • Aim: To create a forensically sound copy of the evidence. • Considerations: • ACPO Principle 1: Don’t cause the data to change. • ACPO Principle 2: What if I need to access the original data? • ACPO Principle 3: Keep a contemporaneous note.

  9. The forensic imaging and collection ofmaterial held on computers • Imaging products (Encase, FTK etc.) • Write blocking (hardware and software) • Image verification (MD5, SHA1 etc.) • Awkward Imaging • Commercial considerations • Contemporaneous note taking • Photographs • Image Storage and Security • Time and Date (check the BIOS)

  10. The analysis and investigation of material held on computers • Aim: • To provide an impartial, professional examination of the computer evidence based upon the instructions given. • Considerations: • Do I have the right tools to do the job? • Do I understand how to examine the evidence? • Do I need to carry out additional research? • ACPO Principle 3: Contemporaneous note taking • Impartiality

  11. The analysis and investigation of material held on computers • Methodology: (depending on your instructions) • Number of partitions and sizes (consider hidden data) • File System • Operating System, Time Zone, User Accounts • File and folders • Dates and times • Internet history analysis, Registry analysis • Programs, their presence and functionality • System files • Unallocated clusters • Keyword searching

  12. The analysis and investigation of material held on computers • Things to bear in mind: • How will I produce the product of my analysis? • Can I explain my analysis in Layman’s terms? • Would a screen shot illustrate my analysis better? • Have I cross checked my evidence? • Do I understand the results? • If your not sure, TEST THE RESULTS • Who will be reading my report?

  13. The production and presentation of written and oral evidence resulting from the imaging and analysis process. • Aim: • To provide a clear, concise report which explains how my analysis was carried out and produces evidence which is relevant to the instructions provided. • Considerations: • Type of proceedings (criminal/civil) • Production of Exhibits

  14. The production and presentation of written and oral evidence resulting from the imaging and analysis process. • Your Report : • 1: Title and table of contents • 2: Introduction: Full name, name of firm, status within the firm, brief overview of experience and specialist field. • 3: Background: Relevant parties, Assumed facts, Issues to be addressed • 4: Technical • Investigation: Break down into sections the flow of your analysis:

  15. Technical Investigation continued… Details of your attendance at premises including times and dates. Details of the imaging process, include photos if necessary Details of the Operating System, User Accounts etc Break down each element of your analysis and if this produced evidence, exhibit this. For example: ‘I produce the internet history for the user BOB asExhibit SLL/1 – Internet History for User BOB.This appears at Appendix B of this report’.

  16. Technical Investigation continued… Reference any screen prints (screen print 4 or fig.2) Avoid using computer jargon where possible. If dealing with more than one computer, deal with each one separately.

  17. 5: Answers to • Instructions: Deal with each question provided to you separately where possible so that the reader can refer directly to this point if needed. • 6: The appropriate Declaration • 7: Statement of Truth • APPENDICES • Details of your qualification and experience • Glossary of Terms if appropriate • Any Exhibits produced during your analysis • DON’T FORGET TO PAGINATE YOUR REPORT!

  18. Any questions?

More Related