200 likes | 390 Views
Computer Forensics BACS 371. Phases of Computer Forensics. Phases of Computer Forensics. The purpose of this slide-set is to provide an overview and introduction to the steps taken in a full forensic investigation.
E N D
Computer ForensicsBACS 371 Phases of Computer Forensics
Phases of Computer Forensics • The purpose of this slide-set is to provide an overview and introduction to the steps taken in a full forensic investigation. • Later material will go into detail concerning specific components of this process.
Phases of Computer Forensics • Collection Phase • Get physical access to computer and related items • Authentication & Preservation • Document initial state of evidence • Make a forensic image copy of all digital information • Examination Phase • Makes evidence visible • Explains origin and significance • Develop initial hypothesis • Analysis Phase • Follow trail of clues • Build evidence set • Revise hypothesis • Reporting Phase • Outline/Review examination process • Discuss pertinent data recovered • Document the validity of procedure
Collection Phase “Collection” in a forensic investigation is a series of steps related to electronic evidence. It is the • Search for… • Recognition of… • Documentation of… • Collection and Preservation of… • Packaging and Transportation of… Electronic evidence.
Methodology for Investigating Computer Crime • Search and Seizure(also involves 4th Amendment issues) • Formulate a plan • Approach and Secure Crime Scene • Document Crime Scene Layout • Search for Evidence • Retrieve Evidence • Log & Secure Evidence • This is followed by… • Information Discovery • Formulate Plan • Search for Evidence • Process Evidence • All this while maintaining Chain of Custody
Digital Evidence Collection Toolkit1 • Documentation Tools • Cable tags • Indelible felt tip markers • Stick-on labels • Disassembly and Removal Tools • Flat-blade and Philips-type screwdrivers • Hex-nut drivers • Needle-nose pliers • Secure-bit drivers • Small tweezers • Specialized screwdrivers • Standard pliers • Star-type nut drivers • Wire cutters • Package and Transport Supplies • Antistatic bags • Antistatic bubble wrap • Cable ties • Evidence bags • Evidence tape • Packing materials • Packing tape • Sturdy boxes of various sizes • Other Items • Gloves • Hand truck • Large rubber bands • List of contact telephone numbers for assistance • Magnifying glass • Printer paper • Seizure disk • Small flashlight • Wiped flash drives 1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Document the Scene1 • Observe and document scene – photos and sketches • Take copious notes • Document condition of computers • Identify related, but not collected, electronics • Make note of unusual computer literature • Photograph scene • Photograph computer (prior to seizure) 1Electronic Crime Scene Investigation: A guide for First Responders, NIJ Guide, DOJ
Evidence Collection While on the crime scene, you need to collect the evidence. This can include… • Non-electronic evidence (papers, photos, …) • Stand-alone/Laptop computers • Removable data storage (flash, disk, CD, DVD,…) • Computers attached via a network • Network servers • Other electronic devices
Examination Phase • In the examination phase you are primarily concerned with finding out what evidence is available and determining how useful it will be in your investigation. • Prior to examination, you must make forensic images of the evidence. • This allows you to safely process the evidence without the danger of accidentally modifying it.
Places to Look for Information There are a number of common places to look for evidence in the imaged data. • Deleted Files and Slack Space • Recycle Bin • System and Registry Files • Unallocated Disk (Free) Space • Unused Disk Space • Erased Information
Ways of Hiding Information There are many ways to hide information. Some are more sophisticated than others. • Rename the File • Rename the File extension • Make the Information Invisible • Use Windows to Hide Files • Protect the File with a Password • Encrypt the File • Use Steganography • Compress the File • Hide the Hardware
Analysis Phase • Once the key information has been uncovered, it is time to put together a “picture” of what happened. • Basically, you are building a hypothesis based on the initial evidence that was uncovered. • This is helpful because it indicates what you need to look for next. • This type of analysis should use the “scientific method.”
Brief Outline of the Scientific Method Successful forensic examinations generally follow the scientific method. • Identify and research a problem • Formulate a hypothesis • Conceptually and empirically test the hypothesis • Evaluate the hypothesis with regards to test results • If hypothesis is acceptable, evaluate its impact. If not, reevaluate the hypothesis
Computer Forensics Analysis Process • Intelligence • Basic understanding of issues surrounding incident • Hypothesis Formulation • Formulated with regard to “5 Ws” • Evidence Recovery • Supporting and non-supporting • Testing • Support or refute hypothesis • Conclusion
Analysis Tools • Analysis of evidence normally involves utilization of a number of forensic tools. • These tools help the analyst uncover and understand the evidence. • It is best to use tools that are recognized by the court. • It is imperative that the analyst document all steps taken so that the evidence collected and findings reached can be defended in court.
Common Analysis Tools • Commercial Tools • EnCase • Forensic Tool Kit (FTK) • e-fence Helix3 • X-Ways Forensics • Open Source Tools • The Sleuthkit • Autopsy browser • DFF • ProDiscovery Basic
Reporting Phase • The deliverable for the entire forensic investigative process is the report. • This details the investigation including: • Collection details • Evidence characteristics • Forensic procedures • Analysis techniques • Findings • It should be written with an eye towards accuracy, conciseness, and professionalism.
Expert Witness Testimony • In addition to a formal written report, the forensic analyst is often required to testify in court as an expert witness. • This is one situation where hearsay evidence is admissible. • The role of the expert witness is to report, as objectively as possible, the findings of the analysis. • Your professional credibility is at stake, so your testimony should be accurate, free from bias, and understandable.