2011 Third International Conference on Multimedia Information Networking and Security

Computer Forensics Guidance Model with Cases Study

Sherif Hazem Noureldin1 Sherif Hashem2

Faculty of Engineering, Arab Academy for Science Faculty of Engineering, Cairo University
and Technology
Salma Abdalla3
1,2,3
Information Technology Industry Development Agency (ITIDA)

Abstract- This work present brief reports on the described and detailed with presentation of needed
summarization of the application of the previously steps on a flow chart diagram. Section 3 presents two
published comprehensive digital forensics process model real world case studies. The cases are presented in the
and the forensic teams responsibilities to two real world form of brief report. Finally, section 4 concludes the
computer forensic cases. Moreover, the information flow
work done in this paper.
between each step and each phase in the model is
discussed and elaborated in the form of flow chart
diagrams, which are then applied on the two real cases . II. The Proposed Computer Forensics Guideline
Model
Keywords: Computer Forensics, Computer Forensics This model provides details for each phase so it can
Case Study, Digital Forensics, Reference Framework. be used as guidance for forensic investigators while
investigation, and provides an easy way to train them.
I. Introduction The investigative process is structured in a flow chart
Computer forensics emerges in response to the form so that sequence of investigation is clear. It is
escalation of computer and Internet crimes. These structured to encourage a complete, rigorous
crimes are increasing due to the growing dependence investigation, ensure proper evidence handling, and
on computers and digital media. When an reduce the chance of mistakes created by
investigation is conducted to answer questions related preconceived theories and other potential pitfalls.
to an incident, some guidelines or models may need to
be met or followed [1].
This paper deploys the previously published
digital forensics model and computer forensic teams
responsibilities and processes on two real computer
forensic cases [2, 3].
Additionally, this work reconstructs the work done
on the previous papers to elaborate the information
flow between each phase. Accordingly, the model
and each phase are described in the form of flow chart
diagrams
Case study is done on two computer related cases.
Exact steps of the proposed model are followed for
investigating and examining the cases which consists
Figure 1 Model Phases
of five phases. The five phases are preparation Phase,
physical forensics and investigation phase, digital A. Preparation Phase
forensics phase, reporting and presentation phase and
closure phase. This is the first stage of incident handling procedures,
which must be applied before handling any
The 1st case is a national security incident case, investigation; the purpose of this phase is to make
while the other case is a copyright case from the sure that the operation and infrastructure can support
software Intellectual Property Rights office in Egypt. the investigation. Preparation phase can be
These two cases are identified and examined using the subdivided into the following procedures.
proposed model. The steps taken during identifying,
examining and analyzing the cases as well as the
results are documented in a brief report.
The structure of the paper is divided four sections.
Section 2 presents the previously proposed model in Figure 2 Preparation Phase
the form of a flow chart diagram. Each phase is also

978-0-7695-4559-2/11 $26.00 © 2011 IEEE 565

564
DOI 10.1109/MINES.2011.49
 1) Pre-preparation 1) Physical Preservation
This sub phase is needed to ensure that the Preservation is an ongoing process through the whole
organization is able to support investigation from the forensic procedures. The goals of the evidence
operational and infrastructure point of view. Pre- preservation are to maximize evidence availability
preparation is very important to be performed before and quality and maintain the integrity of the evidence
any investigation starts. It includes detection, during the whole investigation process [5, 6]. The
notification and identification of the crime, defines product or output of this stage should be frozen in
tasks and responsibilities among staff members, place where all the contents are mapped and
receive authorization to fully investigate the incident recorded, with accompanying photographs and basic
and the crime scene. Additionally, risk assessment, diagrams to document important areas and items.
management information, decisions; policies; 2) Preliminary Survey on Physical Scene
procedures and legal coordination are performed in
The goal of this sub phase is to identify the obvious
this sub-phase.
pieces of physical evidence and develop an initial
2) Case Evaluation theory about the crime. Investigators walk around the
Case evaluation is performed before starting the scene to recognize obvious evidences so that they try
physical crime scene investigation, it is needed to to get the big picture of what happened in the crime
provide information about the case and it tries to find scene.
the motive of this crime. 3) Evaluate the Physical Scene
3) Preparation of Detailed Design for the Case Before seizure of physical evidences, evaluation of
The general outline to investigate the case, in which the incident, the procedures and the required
detailed steps are prepared taking into account the resources to perform the seizure procedures are
estimated time, resources and money required to needed. At the conclusion of this part, investigator
complete each step. should have an idea about how to process the crime
4) Preparation of Investigation Plan scene and what special skills are needed.
The planning activity is strongly influenced by 4) Initial Documentation, Photographing and
information from both inside and outside the Narration
investigating organization [4]. A good planning is The goal is to capture as much information as
essential for the success of any investigation so possible so that the layout and important details of
planning should be given prior importance. the crime scene are preserved and recorded [7, 8]. All
5) Determination of Required Resources relevant information that is generated during the
whole investigative should be recorded to support
Determine kind of software and hardware for
decision-making as well as the legal, administrative
investigation according to suspect operating system.
processing of those decisions.
Tools that are accepted by courts (tested) should be
used. 5) Search and Collection of Physical Evidence
According to the case and depending on the initial
B. Physical Forensics and Investigation Phase case evaluation and plan, these steps could change.
The goal of this phase is to collect and analyze the This is the last phase that typically occurs on the
physical evidence and reconstruct the actions that physical crime scene and at this state digital crime
took place during the incident. It tries to identify scene investigation begins. It involves an in-depth
people who are responsible for the incident. This search and collection of the scene for additional
phase includes: physical evidence.
6) Final Survey and Reconstruction for Physical
Crime Scene
Reconstruction plays a critical role in solving
physical crimes by explaining why a piece of
physical evidence has certain characteristics [9]; this
is the same in the case of digital crimes. This sub
phase first involves reviewing the physical
investigation to identify areas of improvement. Then
it organizes the analysis results from the collected
physical evidence and using the crime scene
photographs to develop a theory for the incident. The
Figure 3 Physical Forensic and Investigation Phase scientific method is used with the evidence to test the

565
566
incident theories. The results of the digital crime
scene investigation are correlated with physical
evidence to link a person to the digital events.
C. Digital Forensics Phase
This phase treats the computer as a secondary crime
scene to search it for evidence. Investigators who
have specialized training with analysis tools and
techniques typically performs the tasks in this phase
[10]. The goal of this phase is to identify and collect
the electronic events that occurred on the secondary
scene, analyze it, and combine it with results from
physical crime scene investigation to get answers to
who, what, where, when, why, and how questions. It
includes the following steps:

Figure 5 Acquisition of Digital Evidence

Figure 4 Digital Forensics Phase 3) Survey the Digital Scene

1) Evaluation and Assessment Survey phase is performed on a live system or on the
It is needed to check the physical evidences that have snap shot image of the system. Mostly it occurs in a
been seized before starting the digital investigation lab using one of the digital crime scene replica
procedures. It may occur on a live system or on the images as it is preferred because it provides a
seized evidences to the lab. controlled environment and the results can be
2) Acquisition of Digital Evidences repeated with another copy of the system. It examines
the obvious locations for evidence and develops
The bulk of the investigation time is spent in this
strategy for how to search the system for additional
part. In the digital world, evidence is copied from the
evidence. It finds the obvious pieces of digital
scene and not removed from the scene. Retrieving the
evidence for the given class of crime and it shows the
evidence depends more likely on how exact the copy
investigator the skill level of the suspect and what
is, so to meet this need a bit stream copy also known
analysis techniques the investigation will require.
as snapshot or mirror image is needed. Collecting of
data can be done on a live system or on a shutdown 4) Digital Evidence Examination
system depends on the case. Prior to performing a full analysis of preserved
sources of digital evidence, it is necessary to extract
data that have been deleted, hidden, camouflaged, or
that are otherwise unavailable for viewing using the
native operating system and resident file system [6,
8]. The purpose of the examination process is to
locate, extract digital evidence, identify, and if
possible make visible, all data that can be recognized
as belonging to a particular data type to analyze and
reconstruct the crime scene.
General forensic principles apply when
examining digital evidence. Different types of cases
and media may require different methods of
examination. Persons conducting an examination of
digital evidence should be trained for this purpose

566
567
[11]. When conducting evidence examination, reconstruction information [7]. The final report
consider using the following steps: preparing should document whether or not the allegations were
working directories, locating evidence and extracting substantiated. It must be organized in a way, so that
data. anyone who reads it can understands it without
5) Reconstruction of Extracted Data reference to any other material. Therefore the report
must include any related documents such as log files
Once the evidence is gathered and extracted, it can be
and pictures.
used to reconstruct the crime to produce a clear
picture of the crime and identify the missing links in E. Closure Phase
the picture. There are many analysis techniques used
to present significance of evidences, it’s not The closure phase involves at the beginning
necessary to use all these techniques in all the cases, reviewing the whole case in which it reviews the
but it depends on the case nature. Some of the investigation to identify areas of improvement. It also
analysis techniques that can be used in different cases examines how well each of the physical and digital
but not limited to are: Timeframe analysis, Data investigations worked together, and whether the
hiding analysis, Application and file analysis, evidences collected were enough to solve the case.
Ownership and possession, Log Files analysis, Moreover, it determines what criminal activities must
Analysis of e-mail messages and Network analysis. be removed. Finally, it provides recommendations of
how to secure the systems and prevent this attack or
crime from happening again on it are given. The
Closure documentation should include the time and
date of release, to whom and by whom released.

III. Case Study

This section illustrates the use of the proposed model
in some real world applications. The forensic
techniques mentioned previously will be deployed in
some cases. These cases have been chosen to
highlight key issues or technologies that have arisen
from the computer forensic process. Names and
locations presented in the case scenarios are fictitious
and are not intended to reflect actual data.
A. Case 1
This case concerns with national security. The
security personnel arrested a suspected person in the
Figure 6 Reconstruction of Extracted Data airport travelling to Peace-land County with hard disk
in his handbag. The security personnel suspected the
6) Conclusion
hard disk to hold national security information.
Results obtained from any one of these steps may not Accordingly, they acquired this hard disk and it was
be sufficient to draw a conclusion [8, 11, 12]. As a sent for examination. By following the model steps
final step in the examination phase, consider the on this case, the following steps are taken and the
results from both physical and digital forensics results are documented in final report.
phases, and organize the analyze results from
Objective: Determine if the suspect used the hard
collected physical and digital evidences to link a
disk as an instrument of hiding national secret data.
person to the digital events.
Offences: Spying and gathering national secret
D. Reporting and Presentation phase information Operating system: Microsoft Windows
XP Case agent: ETIDA Where examination took
This phase is though based entirely on policy and law place: ETIDA Tools used: Guidance Software
of each country, which are different for each setting. Encase V4, HPA.exe and HDAT2.exe.
However, there are general procedures that can be
followed to document evidence and their examination Processing: This investigation starts at digital
and create a final report. This phase presents the forensics phase of the model including some of the
conclusions and corresponding evidence from the preparation phase steps as the hard disk is obtained
investigation. These presentations are intended to from security agent for examination.
provide both detailed confirmatory and event

567
568
 1) Evaluation and Assessment: c) The subject computer is booted to Dos
a) Documentation provided by the prompt with a controlled boot disk, and the
investigator is reviewed and chain of custody disk is examined for presence of HPA and
is properly documented on the appropriate DCO using hpa.exe and hdat2.exe.
departmental forms. • The test resulted in presence of HPA area of size
b) The computer forensic investigator met 364,895.
with the case agent and discussed additional • The detected area is reset using hdat2.exe.
investigative avenues and potential evidence d) Encase v4 is used to create an
being sought in the investigation. evidence file containing the image of the hard
c) Evidence intake is completed as; the disk.
type of media is documented. Then a file is • The subject computer is connected to a laboratory
created and the case information is saved in a computer through a cross-over cable, which
separate hard disk. The Hard disk is stored in connected to the computers network interface
the laboratory’s property room EITIDA card. The subject computer is booted to the DOS
forensic team. prompt with a controlled boot disk and Encase is
d) The order of evidence examining is started in server mode.
done and the result: only one hard disk is to be • The laboratory computer, equipped with a USB
examined. drive connected to it external hard disk for file
e) The case is assigned to a computer storage, is booted to Windows XP and Encase v4
forensic investigator. is started in client mode for acquisition.
f) Determination of needed equipments is Evidence files of the subject computer are
done, and equipments needed are: Computer acquired and written to external hard disk.
with IDE cables and enough memory, e) When the imaging process is
Bootable disk, tools for acquisition and tools completed, the computers are powered off.
for examination and reconstruction. • The subject Hard disk is returned to the
g) The Hard disk condition is assessed laboratory property room. The external hard disk
and it is ok and the operating system cannot be containing the Encase evidence files are write-
identified before acquisition as the hard disk is protected and entered into evidence. And all
separated from the computer. processes are documented which should include
2) Acquisition of Digital Evidences time stamp, digital signatures and signed
statements to maintain Chain of Custody.
a) The Hard disk Structure:
3) Digital Evidence Examination
• Disk: Western Digital
• Model: WDC WD200EB-00BHF0 a) A laboratory computer is prepared
with Windows XP, Encase V4 for Windows,
• Size: 20.0GB
and other forensic software programs. And a
• Serial Number: WD-WMA6K3944660
new Encase case file is opened and the subject
b) The software used for imaging computer’s evidence files were located for
automatically mount Suspect hard disk as read examination using Encase.
only (write protected). The Hard disk is
b) The evidence files are examined by
connected by IDE cable To HP-Compaq
encase
Computer for Acquisition. This computer is
named subject computer. Then the subject • Modify time zone of the evidence image to fit of
computer is examined and photographed local time zone of Cairo. And the evidence files
are verified by Encase, and verification is ok.
• The hardware is examined and documented. Then
a controlled boot disk is placed in the computer’s c) Locating Evidence on evidence image
floppy drive. The computer is powered on and the is started by:
BIOS setup program is entered. The BIOS • Initialize case script is started on the images and
results are documented. The deleted files are then
information is documented and the system time is
recovered by Encase. Then Bookmarks folder
compared to a trusted time source and
structures of the evidence image are taken. All
documented. The boot sequence is checked and files data, included file names, dates and times,
documented; the system is already set to boot physical and logical sizes, and complete path are
from the CD-Rom drive first, then Floppy drive recorded.
as second. Then the computer is powered off • Keyword text searches are conducted based on
without making any changes to the BIOS. information provided by the investigator. All hits

568
569
 are reviewed. Then Data files are opened and Objective: Determine if the subject-imaging machine
viewed; two password-protected and encrypted has pirated software. Offense: IPR crime.
files are located. Machine Type: Magnetic Resonance Imaging (MRI).
• Unallocated and slack spaces, unused space and Case agent: ETIDA. Where examination took place:
unused space that were reserved for HPA are
Vlabs medical center and ETIDA headquarters. Tools
searched.
used: Knoppix bootable CD, dd, Keyfinder.
• Swap files are searched and Unused and
unallocated areas are searched for hidden Processing: The processing steps of the case starts
partitions. with preparation phase then followed with the model
d) Extraction of data is done: phases.
• Physical extraction is used by coping unused disk 1) Preparation Phase
areas that are reserved for HPA to an external text a) Pre-preparation
file using encase. Logical extraction is done by • The incident is detected and identified as IPR case.
coping files of evidentiary value or investigative The search is discussed and personnel assignments
interest from the Encase evidence file and copied are done. The physical forensic team is
to the external disk. responsible for the physical investigation phase,
4) Reconstruction of Extracted Data while the laboratory examination team is
a) Data hiding analysis is used by responsible for the digital forensic phase.
searching on hidden areas and gaining access • Person in charge who is forensic investigator is
to HPA area. assigned. The investigator has obtained a search
warrant to acquire, examine and analyze imaging
b) Findings and summary: machines and any other equipment used in
• The analysis of the evidence image resulted in the pirating software. The paperwork is done and the
recovery of hidden data of 512 byte in size. evidence sheets are prepared. And all needed
• The hidden data is located in sector 39085190. equipments for searching and seizing evidence are
• This sector is part of the reserved area of HPA is discussed and prepared.
copied using encase to output text file. b) Preparation of Investigation Plan
5) Conclusion An onsite plan is prepared for handling the image
Based on the information revealed by the computer machines on site and gather evidences as a live case.
image analysis, the suspects eventually plead guilty. The search will be performed by Forensic
The reports and documentations should be presented investigator. The Laboratory examiner will perform
to the court of law by the courtroom team. the examination. Any additional devices, or
6) Reporting and Documentation equipments or storage media, such as CD-ROMs or
floppy disks that will be found should be seized to
Encase Bookmarked report including detailed steps the EITIDA forensic lab for examination following
and results and a final Report is created on 3/9/2008 packaging, transporting and storage procedures. And
4:00pm. evidence collection will be performed according to
7) Closure the live system of the model as the imaging machines
The case is closed from the examination point of can’t be seized to the forensic lab.
view, after presentation and reporting phase is done c) Determination of Required Resources
in the court of law. The physical Hard disk should be Packaging materials, labels, antistatic bags and
returned to his owner or according to the orders of containers are needed for seizing physical evidence,
the court. And a closure report should be created tools for image acquisition, external hard disk is
including time of closure and signature of people needed to store image and other evidence.
included in this phase.
2) Physical Forensic and Investigation Phase
B. Case 2
a) Physical Preservation
The Egyptian software IPR office in ITIDA sent a The physical crime scene is documented and
request for service to digital forensic team of EITIDA photographed. Labels are placed over all the drive
to investigate and examine Vlabs Medical Centre for slots and over the power connectors.
the presence of imaging machine suspected to have
b) Evaluate the Physical Scene
pirated software. The machines can’t be acquired to
the lab; therefore live evidence acquisition will be • The number and types of machines are identified.
needed. EITIDA forensic team is following the The number of machines is 3. Type of machines is
model steps on this case. The following steps are Siemens MRI connected to HP computers.
taken and the results are documented in a final report. • Evidence is prioritize:

569
570
 o Location where evidence is found in VLab booted using the Knoppix bootable CD to
medical center. Then the stability of media to be Knoppix live operating system. And External
examined is identified, it is stable. The disks are connected to the computers to hold the
computers are connected to internal network of images of disks.
the center connected through a switch. And the • Linux acquisition dd is used to gather an exact bit-
machines are powered on. by-bit image of the disk and stored to external disk
as machineimage1.dd, machineimage2.dd. When
c) Initial Documentation, Photographing
the imaging process is completed, as there is no
and Narration evidence that can be altered if the computers are
• Documentation of the condition and location of powered on. Therefore the computers are powered
the machines, including power status of the on to their operating systems. Then Keyfinder
machines is done. The three machines are powered software is used to find serial numbers of imaging
on. software on the computers.
• There are no active programs or active imaging • Licenses of the imaging software are requested
running. The scene is photographed and added to from the Vlab manger. And the external hard disk
photos log. And the machines screen are containing the evidence files are write-protected
photographed and added to photos log. and entered into evidence safe.
d) Search and Collection of Physical • Packaging procedures started, each package is
Evidence labeled with a unique label including name of the
• This case is a copyright protection case, so no live forensic investigator that seized and packed the
data like network or running processes need to be unit, content of the package the place where it is
gathered. Therefore the decision is to shutdown all going to be packed and from where it is taken and
the machines and the computers and captures an the time/date of packaging. And transportation
image of each device and examines it in the procedures are followed and external disks
forensic lab according to the procedures in the holding images and other components that are not
model. packed in containers are secured in a vehicle to
• The make and model of imaging machines and avoid shocks. CD-ROMs are transported in
computers are identified and documented; all separate containers.
cables and connectors are labeled. 3) Digital forensic Phase
• 2 packages of CD-ROMs are found and packaged a) Digital Evidence Examination
for transportation. And the computers are Vlab claimed that the acquired CD-ROMs hold
disconnected from the network and separated from
software license. CD-ROMS are examined, for the
all devices and connected to a portable forensic
presence of software license for the three machines.
workstation for capturing a snap shot image.
• The coming steps are according to Acquisition b) Reconstruction of Extracted Data
sub-phase in digital forensic phase as it work in • A software license of only one machine is detected
parallel with physical forensic and investigation on one CD-ROM. Two CD-ROMS holds cracks
phase due to inability to seize the machines to the for the imaging software. Then a comparison of
forensic lab. Then the case is assigned to the serial numbers on the machines and the
laboratory examiner. cracked serial numbers the CD-ROMs is
• Determination of needed equipments is done, and performed.
equipments needed are Bootable disk, dd UNIX • Findings and summary:
software will be used to acquire images of the The analysis of the machines resulted in the recovery
computer hard disks attached to the imaging of:
machines and Keyfinder software to collect serial o One machine is holding the original
numbers and product IDs.
software license as found on the original
• The Hard disks conditions are checked and they
CD-ROM.
are working properly. The machines structure and
addition evidence: o The serial numbers on the other machines
o Imaging Machines Model: SS200EB-00BHF0 are similar to the cracked serial numbers on
o Computers Model: HP PC the copied CD-ROMs. And there is no
o Serial Numbers: SMA6K3944660, original licensed software provided by the
SMA6K3767660, SMA6F7767540 manger except for one machine.
o One original CD-ROM with printed cover c) Conclusion
and two copied CD-ROMs are found. Based on the information revealed from serial
• Knoppix bootable live CD is used to create an numbers comparison, two of the machines are proved
evidence file containing the image of the hard to hold pirated imaging software, which violates IPR
disks for storage. Then the subject computers are copyright law.

570
571
 4) Reporting and Presentation phase Digital Evidence, Volume 3, 2004.
[5] N. Beebe and J. Clark, “A hierarchical, objectives-based
A final report is created on 24 November 2008 at framework for the digital investigations process”. In the
3:15 PM holding findings and results. Digital Forensic Research workshop (DFRWS),
5) Closure Baltimore, MD, June 2004.
[6] Eoghan Casey, “Digital Evidence and Computer Crime
The case is closed from the examination point of
”In Academic Press, second edition, Chapters 2, 4, 5, 9,
view, after presentation and reporting phase is done 10, 14 and 17, 2004.
in the court of law. The CD-ROMs should be [7] Brian Carrier and Eugene Spafford, “Getting Physical
returned to their owner or according to the orders of with the Digital Investigation Process”. International
the court. A closure report should be created Journal of Digital Evidence, 2003.
including time of closure and signature of people [8] Brian Carrier, “File System Forensic Analysis”. In
included in this phase. Addison Wesley, pages 35-50, 130-160, and Pages 210-
250, 2005.
IV. Conclusion [9] Brian Carrier and Eugene Spafford, “Defining Event
Reconstruction of a Digital Crime Scene”. Journal of
This work refines and reconstructs the work done on Forensic Sciences (JFS), 2004.
the previously published detailed models [2, 3] to [10] United States National Institute of Justice Technical
perform computer forensic investigation starting from Working Group for Electronic Crime Scene
the crime scene and ending in presentation of the case Investigation, “Electronic Crime Scene Investigation: A
in the court of law. These refinements are done to Guide for First Responders”. NIJ Guide, July, 2001.
clarify the sequence of investigation and [11] United states National Institute of Justice, “Forensic
Examination of Digital Evidence: A Guide for Law
examination. The work shows detailed steps needed
Enforcement”. NIJ Guide, 2004.
to be performed by investigators and examiners [12] Eoghan Casey, “Digital Evidence and Computer Crime”.
including information flow between each phase. The In Academic Press, first edition, Chapters 2 and 23, 2000.
inclusion of information flows, the investigative
activities, detailed steps of the process, makes it more
comprehensive than previous models.
This work provides a base for the development
of techniques and especially tools to support the work
of investigators. The presented model is general with
respect to technology as well as abstract enough that
it can be applied to law enforcement investigations
and corporate investigations.
These requirements are proved to be met by
applying the model on two real world case studies.
These cases have different scenarios, different
platforms and from different environments.
The case studies showed that this model is
capable of handling computer crimes and IPR crimes.
It is capable of detecting and finding secret or hidden
data that is stored in hidden areas such as HPA and
DCO areas.
REFERENCES
[1] Brain Carrier, “A Hypotheses-based Approach to digital
Forensic investigations”, PHD thesis, Purdue University,
2006.
[2] Salma Abdalla, Sherif Hazem and Sherif Hashem,
“Guideline Model for digital Forensic Investigation”.
Proceeding of Digital Forensics, Security and Law
conference, page 55, Virginia USA April 2007.
[3] Salma Abdalla, Sherif Hazem and Sherif Hashem,
“Teams Responsibilities for Digital Forensic Process”,
Proceeding of Digital Forensics, Security and Law
conference, page 95, Virginia, USA, April 2007.
[4] Seomus O’ Ciardhuain, “An Extended Model of
Cybercrime Investigations”. International Journal of

571
572