Chapter 4: Policies and Procedures

jazzydoeSoftware and s/w Development

Oct 30, 2013 (4 years and 10 days ago)

311 views

Computer Forensics

Principles and Practices

by Volonino, Anzaldua, and Godwin

Chapter 4: Policies and Procedures

© Pearson Education Computer Forensics: Principles and Practices

2

Objectives


Explain the reasons for policies and
procedures


Formulate policies and procedures


Identify the steps in a forensic examination


Conduct an investigation


Report the results of an investigation

© Pearson Education Computer Forensics: Principles and Practices

3

Introduction

In this chapter, you will be introduced to best
practices and generally accepted guidelines
and procedures used by computer forensics
practitioners. These guidelines and procedures
need to be customized to meet the
requirements of individual cases.

© Pearson Education Computer Forensics: Principles and Practices

4

Reasons for Policies and Procedures


Investigators establish generally accepted
policies and procedures to ensure that:


A benchmark is set for all cases as needed for external
audits or other reference


Processes throughout the case life
-
cycle are understood


Technical procedures are well documented


Integrity is automatically built into the handling of the case


Different forensic investigators can work or collaborate on
the same case without significant disruption


The final report has a standard format

© Pearson Education Computer Forensics: Principles and Practices

5

Personnel Hiring Issues


Characteristics important for members of a
forensics unit include:


Experience in computer forensics


Education in relevant forensic areas


Certifications in computer forensics


Integrity and judgment


Team player attitude


Ability to adapt


Ability to work under pressure

© Pearson Education Computer Forensics: Principles and Practices

6

Personnel Training


Some training areas include:


Computer forensics


Network forensics


PDA forensics


Cellular phone forensics


Legal issues


Industry
-
specific issues


Management training


Investigative techniques

© Pearson Education Computer Forensics: Principles and Practices

7

Pre
-
Case Cautions


When deciding to take a case, consider
whether your team can ensure the integrity of
the case’s e
-
evidence


Evidence value is time sensitive


Links to digital information can degrade

© Pearson Education Computer Forensics: Principles and Practices

8

Deciding to Take a Case


Whether it is a criminal
or civil case


The impact on the
investigating
organization


Whether the evidence
is volatile or nonvolatile


Legal considerations
about data that might
be exposed


The nature of the crime


Potential victims, such
as children in child
pornography cases


Liability issues for the
organization


The age of the case


Amount of time before
the court date



Criteria for accepting a case include:

© Pearson Education Computer Forensics: Principles and Practices

9

FYI: Types of Data That Might Be
Exposed in an Investigation


Information that can be exposed in an
investigation that is not within original scope:


Personal financial data


Personal e
-
mail


E
-
mail or documents containing company secrets


Instant messaging logs


Privileged communications


Proprietary information (corporate)

© Pearson Education Computer Forensics: Principles and Practices

10

General Case Intake Form


Checks for conflict of interest in the case


Confirms the understanding and agreement
among the parties involved and sets the
stage for everything else about the case


Chain of custody


Basic evidence documentation

© Pearson Education Computer Forensics: Principles and Practices

11

Documenting the First Steps in the
Case


The importance of documenting first steps
cannot be overemphasized


Questions that should be asked before
traveling to a site:


What circumstances surrounding this case require
a computer forensics expert?


What types of hardware and software are
involved?

© Pearson Education Computer Forensics: Principles and Practices

12

Equipment in a Basic Forensics Kit


Cellular phone


Basic hardware toolkit


Watertight/static
-
resistant
plastic bags


Labels


Bootable media


Cables (USB, printer,
FireWire)


Writing implements


Laptop


PDA


High
-
resolution camera


Hardware write blocker


Luggage cart


Flashlight


Power strip


Log book


Gloves


External USB hard drive


Forensic examiner platform

© Pearson Education Computer Forensics: Principles and Practices

13

Steps in the Forensic Examination


Verify legal authority


Collect preliminary data


Determine the environment for the
investigation


Secure and transport evidence


Acquire the evidence from the suspect
system

© Pearson Education Computer Forensics: Principles and Practices

14

Verify Legal Authority


In a criminal case, authority to conduct
search is up to local jurisdiction


Search warrant required for search and seizure


Search warrants may need to be amended or
expanded


Plain view doctrine

allows for seizure of other
materials that may be relevant


In civil cases involving corporate equipment,
investigators have greater leeway to seize

© Pearson Education Computer Forensics: Principles and Practices

15

Collect Preliminary Data

Questions

Considerations

What types of e
-
evidence am I
looking for?

Are you being tasked to look for
photographs, documents, databases,
spreadsheets, financial records, or e
-
mail?

What is the skill level of the user
in question?

The more sophisticated the user, the more
likely that he has the capability to alter or
destroy evidence.

What kind of hardware is
involved?

Is it an IBM
-
compatible computer or a
Macintosh computer?

(Continued)

© Pearson Education Computer Forensics: Principles and Practices

16

Collect Preliminary Data

(Cont.)

Questions

Considerations

What kind of software is involved?

To a large degree, the type of software
you are working with determines how you
extract and eventually read the
information.

Do I need to preserve other types
of evidence?

Will you need to worry about fingerprints,
DNA, or trace evidence?

What is the computer
environment like?

Are you dealing with a network? If so,
what are the physical/logical topology, OS,
usernames and passwords?

© Pearson Education Computer Forensics: Principles and Practices

17

Determine the Environment for the
Investigation


Consider these factors when deciding where
to conduct the examination:


Integrity of the evidence collection process


Estimation of the time required to do an
examination


Impact on the target organization


Equipment resources


Personnel considerations

© Pearson Education Computer Forensics: Principles and Practices

18

Secure and Transport Evidence


Document the evidence


Locate all evidence to be seized


Record a general description of the room:


Type of media found


All peripheral devices attached to the computer(s)


Make, model, and serial numbers of devices seized


What types of media devices are located in, near, or on
the computer


Note all wireless devices


Make use of chain of custody forms

© Pearson Education Computer Forensics: Principles and Practices

19

Secure and Transport Evidence

(Cont.)


All removable media


All computer equipment


Books/magazines


Trash contents


Peripherals


Cables


Notes/miscellaneous paper


Tag should include time, date, location,

and general condition of the evidence


Tag the evidence


Tag everything that will be transported back to the
forensics lab

© Pearson Education Computer Forensics: Principles and Practices

20

Secure and Transport Evidence

(Cont.)


Bag the evidence


Small items go into small antistatic bags


Larger items go into antistatic boxes


Bagging evidence


Protects the evidence


Organizes the evidence


Preserves other potential evidence


© Pearson Education Computer Forensics: Principles and Practices

21

Secure and Transport Evidence
(Cont.)


Transport the evidence


Use these items to make transport easier


Luggage cart


Hand cart


Bungee cords with hooks or clamps


Duct tape


Small cargo net


Leather gloves


Twist ties


Plastic cable ties/PlastiCuffs

© Pearson Education Computer Forensics: Principles and Practices

22

Acquire the Evidence


First document the hardware and software to
be used in acquiring the evidence.


Disassemble the suspect computer


Acquire hard drive information


BIOS information


Boot sequence


Time and date

© Pearson Education Computer Forensics: Principles and Practices

23

Acquire the Evidence
(Cont.)


Basic guidelines:


Wipe all media you plan to use and use a
standard character during that wipe


Activate the write protection


Perform a hash of the original drive and of the
forensic copy to make sure you have a bit
-
for
-
bit
copy


Do a physical acquisition to capture space not
accessible by the operating system


Make a working or backup copy

© Pearson Education Computer Forensics: Principles and Practices

24

Examining the Evidence


There are no specific rules for examining
evidence due to the variety of cases


The experience level of the user determines
how the examiner approaches the
investigation of evidence


Physical extraction or examination


Logical extraction or examination

© Pearson Education Computer Forensics: Principles and Practices

25

Examining the Evidence
(Cont.)


Bottom
-
layer examinations


File system details


Directory/file system structure


Operating system norms


Other partition information


Other operating systems (dual/multiboot systems)

© Pearson Education Computer Forensics: Principles and Practices

26

Examining the Evidence
(Cont.)


Second
-
layer examinations


Exclusion of known files using hash analysis


File header and extension


Obvious files of interest


Third
-
layer examinations


Extraction of password
-
protected and encrypted
files


Extraction of compressed and deleted files


Link analysis

© Pearson Education Computer Forensics: Principles and Practices

27

Examining the Evidence
(Cont.)


Fourth
-
layer examinations


Extraction of unallocated space files of interest


Extraction of file slack space files of interest


Fifth
-
layer examinations


Documentation should reflect how the evidence
was extracted and where it has been extracted to
for further analysis

© Pearson Education Computer Forensics: Principles and Practices

28

The Art of Forensics: Analyzing the
Data


File analysis

investigations include:


File content


Metadata


Application files


Operating system file types


Directory/folder structure


Patterns


User configurations

© Pearson Education Computer Forensics: Principles and Practices

29

Analyzing the Data
(Cont.)


Data
-
hiding analyses should include:


Password
-
protected files


Check the Internet for password
-
cracking software


Check with the software developer of the application


Contact a firm that specializes in cracking passwords


Compressed files


Encrypted files


Steganography

© Pearson Education Computer Forensics: Principles and Practices

30

Analyzing the Data
(Cont.)


Time frame analysis should examine the
following file attributes:


Creation date/time


Modified date/time


Accessed date/time

© Pearson Education Computer Forensics: Principles and Practices

31

Reporting on the Investigation


Last step is to finish documenting the investigation
and prepare a report on the investigation


Documentation should include information such as:


Notes taken during initial contact with the lead investigator


Any forms used to start the investigation


A copy of the search warrant


Documentation of the scene where the computer was
located


Procedures used to acquire, extract, and analyze the
evidence

© Pearson Education Computer Forensics: Principles and Practices

32

Reporting on the Investigation

(Cont.)


A detailed final report should be organized
into the following sections:


Report summary


Body of the report


Conclusion


Supplementary materials

© Pearson Education Computer Forensics: Principles and Practices

33

Reporting on the Investigation

(Cont.)


The final detailed report should cover:


Case investigator information, name and contact
details


The suspect user information


Case numbers or identifiers used by your
department


Location of the examination


Type of information you have been requested to
find


© Pearson Education Computer Forensics: Principles and Practices

34

Reporting on the Investigation

(Cont.)


The report summary should contain:


Files found with evidentiary value


Supporting files that support allegations


Ownership analysis of files


Analysis of data within suspect files


Search types including text strings, keywords, etc.


Any attempts at data hiding such as passwords,
encryption, and steganography

© Pearson Education Computer Forensics: Principles and Practices

35

Summary


Policies and procedures


Are key to a consistent and methodical
investigation


Aid in the management of a computer forensics
lab


Should be flexible enough to adjust to each case

© Pearson Education Computer Forensics: Principles and Practices

36

Summary
(Cont.)


Four main steps to any computer forensics
investigation:


Planning


Acquisition


Analysis


Reporting


Computer forensic analyst must:


Keep up with the technology of the day


Be a psychologist who understands how people
use technology