1 / 17

Preparing for Computer Investigations

Preparing for Computer Investigations. our focus: what makes “computer” investigations different from other forensic investigations 2 categories of investigation: criminal (public, government agency) civil (private, corporate)

medwin
Download Presentation

Preparing for Computer Investigations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preparing for Computer Investigations • our focus: what makes “computer” investigations different from other forensic investigations • 2 categories of investigation: • criminal (public, government agency) • civil (private, corporate) • criminal investigations are subject to federal search and seizure rules: Article 8 of the Canadian Charter of Rights and Freedoms(http://www.canlii.org/ca/com/chart/s-8.html#_Toc68428976) and the Fourth Amendment to the US Constitution, with search and seizure rules: (http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm) CSC 233H5S, 2007(1)

  2. http://www.usdoj.gov/criminal/cybercrime/ CSC 233H5S, 2007(1)

  3. (Civil) Corporate Investigations • private companies, nonenforcement government agencies, and lawyers • not directly governed by criminal law, but by internal corporate policies • e.g., e-mail harassment, falsification of data, discrimination, embezzlement, industrial espionage, intellectual property, improper use of company resources • a search warrant is not needed for company property (as opposed to personal property) • for the most part, we will concentrate on the criminal side (but read about George and Martha) • advice: act as though a civil case may go criminal CSC 233H5S, 2007(1)

  4. Criminal Investigations • e.g., break-and-enter: use of lockpick, a slim-jim, or a computer • 3 stages to an investigation: complaint, investigation, prosecution • [note that the 3 levels of law enforcement computer expertise cited in the text on page 12 differ from the 3 levels given in lecture, Week 1, page 4] • investigation begins with preparing the case • as you gather evidence, follow a systematic approach (page 32) and maintain a chain of custody CSC 233H5S, 2007(1)

  5. (Parts of a) Systematic Approach • Determine the resources you need • based on the software (application and system -- OS) and hardware of the computer system being investigated, prepare a list of software and hardware tools you will need • Obtain and copy an evidence disk drive • make a forensic copy of all storage media • Do a standard risk assessment • a knowledgeable computer user might cause data to be overwritten if a bad password is entered CSC 233H5S, 2007(1)

  6. (More) (Parts of a) Systematic Approach • Minimize the risks • make multiple copies of the original storage media • Test the design • compare hash signatures to ensure that you have a forensically-sound copy of the original media • Recover the digital evidence, using software and hardware tools, on the forensic copy • Analyze the digital evidence CSC 233H5S, 2007(1)

  7. Assessing the Case • type of evidence: storage media (model number, serial number, part number, external “label”, internal “label”, storage capacity, …) • operating system: Windows (what version, what build number, what service pack) or Mac OS or Linux CSC 233H5S, 2007(1)

  8. Securing the Evidence • do not damage any computer hardware component (e.g., pins on a port) • beware of static electricity, which can destroy digital data • antistatic bags, pads, and wrist-straps • use a well-padded container • the disk drive is an electromechanical device • use evidence tape to secure all openings; write your initials on the tape • many storage devices use magnetic media, so ... CSC 233H5S, 2007(1)

  9. Forensic Workstation (FWS) • the secure copy of the original storage media can be made on a separate FWS, replete with hardware and software options • also done on the FWS are … • the comparison of the digital hashes • the recovery of digital evidence from a copy • the analysis of digital evidence • even normally powering on the computer under investigation can alter the digital evidence (Chapter 7 for Windows) CSC 233H5S, 2007(1)

  10. Gathering the Evidence • acquire the disk and make a forensic copy that is an exact duplicate (on the FWS or on the original system with a separate boot disk) • a bit-stream copy is a bit-by-bit copy of the original storage medium and is an exact duplicate: a bit-stream image that is a file • different from a backup copy of the disk • backup software can only copy files that are stored in a folder or are of a known file type; it cannot copy deleted files or instant messages or file fragments that remain on the disk CSC 233H5S, 2007(1)

  11. Bit-Stream Image • the bit-stream image is a file on the FWS • depending on the tool used to recover the evidence, it can be investigated either by • copying the bit-stream image onto a disk identical to the original medium on the FWS, re-creating the original medium, OR • investigating the bit-stream image as a file on the FWS • <insert drawing here> CSC 233H5S, 2007(1)

  12. Challenges in Processing a Computer Investigation Scene • computing investigations typically involve large amounts of data, some potentially related to a crime and other being innocent information, co-mingled • a 200 GB disk drive might take several hours to image • a warrant usually requires that police officers “knock and announce”, but the ease and speed of destroying electronic evidence is a concern • format CSC 233H5S, 2007(1)

  13. Protecting Digital Evidence • the crime scene’s security perimeter is usually not set by the computer investigator • try to prevent anyone from accessing the computer via a wireless connection (e.g., infrared or Bluetooth) • the information on a disk, in bits and bytes, is virtual in that it consists of 0s and 1s, but the courts consider it to be physical evidence • computers can contain “real” physical evidence, such as DNA residue on a keyboard or fingerprints • the suspect computer should not be examined until a bit-stream image of the disk has been captured; do not re-start the computer except with a boot disk CSC 233H5S, 2007(1)

  14. First Responder • a useful reference is: Electronic Crime Scene Investigation: A Guide for First Responders”, US DOJ (2001)http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm • “It is recognized that all crime scenes are unique …” • need procedures and crime scene protocol that minimize the chance of injury and contamination of evidence CSC 233H5S, 2007(1)

  15. Identification of Evidence • look for • hardware: desktop computer, laptop, handheld computer, external hard drives, digital camera, peripheral devices such as printers or scanners • software: installation disks for specialized software, for example • (easily-hideable) removable media: floppy disks, CDs, DVDs, thumb drives, evidence of backups • documentation: for hardware and software • passwords and telephone numbers • printouts: maybe in the garbage CSC 233H5S, 2007(1)

  16. Identification of Evidence II • unplug the modem and network cables; test the phone jack and data port to see if they are active • photograph evidence in situ ; remove casings and photograph internal components, such as hard-drive jumper settings • note and photograph the contents of each window on the screen, if applicable • write-protect media where possible • the copy of the digital evidence should go to a write-once storage media that is suitable for long-term storage (e.g., CD) CSC 233H5S, 2007(1)

  17. Processing a Computer Crime Scene in addition to normal suggestions (e.g., keep a journal) … • take video recordings, including the backs and sides of all computers; place numbered labels on each cable and each plug/port, to be able to re-assemble everything • computer storage media can be small and can be disguised • a tablet PC is useful in sketching the scene • computer data is volatile, so check the computer as soon as possible: powered on or off? if powered on, pull the plug or initiate normal shutdown or attempt live capture ? • note: criminals may leave booby-traps, to destroy data • Microsoft DOS Command.com: change the directory list command <dir> to the (directory) delete-tree command <deltree> • goal: preserve as much data as possible CSC 233H5S, 2007(1)

More Related