0% found this document useful (0 votes)

48 views

DF-L02-Understanding The Digital Forensics Profession and Investigations

Uploaded by

zaina.anjum9

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

48 views

DF-L02-Understanding The Digital Forensics Profession and Investigations

Uploaded by

zaina.anjum9

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 74

Guide to Computer Forensics

and Investigations
Sixth Edition

Chapter 1
Understanding The Digital Forensics Profession
and Investigations

1
Objectives
• Describe the field of digital forensics
• Explain how to prepare computer investigations and
summarize the difference between public-sector and private-
sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by
taking a systematic approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and
software
• Summarize how to conduct an investigation, including
critiquing a case
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 2
classroom use.
What is digital forensics
Definition
•The application of computer science and
investigative procedures for a legal purpose
involving the analysis of digital evidence
after
•proper search authority,
•chain of custody (Evidence Transmittal Letter)
•validation with mathematics (hash function),
•use of validated tools,
•repeatability,
•reporting,
•possible expert presentation.
NIST definition of Digital Forensics
The application of science to
• identification,
• collection,
• examination, and
• analysis
of data while
• preserving the integrity of the information and
• maintaining a strict chain of custody of the data
• In October 2012, an ISO standard for digital forensics
was ratified - ISO 27037 Information technology -
Security techniques
Digital Forensics and Other Related
Disciplines (1 of 3)
• Investigating digital devices includes:
• Collecting data securely
• Examining suspect data to determine details such as origin and
content
• Presenting digital information to courts
• Applying laws to digital device practices
• Digital forensics is different from data recovery
• Which involves retrieving information that was deleted by
mistake or lost during a power surge or server crash
• Forensics investigators often work as part of a team,
known as the investigations triad

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 7
classroom use.
Digital Forensics and Other Related
Disciplines (3 of 3)
•Vulnerability/threat assessment and risk
management
• Tests and verifies the integrity of stand-along
workstations and network servers
•Network intrusion detection and incident
response
• Detects intruder attacks by using automated tools and
monitoring network firewall logs
•Digital investigations
• Manages investigations and conducts forensics analysis
of systems suspected of containing evidence
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 8
classroom use.
A Brief History of Digital Forensics
• By the early 1990s, the International Association of
Computer Investigative Specialists (IACIS) introduced
training on software for digital forensics
• IRS created search-warrant programs
• ASR Data created Expert Witness for Macintosh
• ILook is currently maintained by the IRS Criminal
Investigation Division
• AccessData Forensic Toolkit (FTK) is a popular commercial
product

•Existing laws can’t keep up with the rate of

technological change
•When statutes don’t exist, case law is used
• Allows legal counsel to apply previous similar cases to
current one in an effort to address ambiguity in laws
•Examiners must be familiar with recent court
rulings on search and seizure in the electronic
environment

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 10
classroom use.
Developing Digital Forensics Resources
To supplement your knowledge:
1. Develop and maintain contact with computing,
network, and investigative professionals
2. Join computer user groups in both the pubic and
private sectors
Example:
Computer Technology Investigators Network (CTIN)
meets to discuss problems with digital forensics
examiners encounter
3. Consult outside experts

Digital investigations fall into two categories:

1. Public-sector investigations
2. Private-sector investigations

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 13
classroom use.
Preparing for Digital Investigations (3 of 3)
•Public-sector investigations involve government
agencies responsible for criminal investigations
and prosecution
•Fourth Amendment to the U.S. Constitution
• Restrict government search and seizure
•The Department of Justice (DOJ) updates
information on computer search and seizure
regularly
•Private-sector investigations focus more on policy
violations
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 14
classroom use.
Understanding Law Enforcement Agency
Investigations
•When conducting public-sector investigations, you
must understand laws on computer-related crimes
including:
• Standard legal processes
• Guidelines on search and seizure
• How to build a criminal case
•The Computer Fraud and Abuse Act was passed in
1986
• Specific state laws were generally developed later

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 15
classroom use.
Following Legal Processes (1 of 2)
•A criminal investigation usually begins when
someone finds evidence of or witnesses a crime
• Witness or victim makes an allegation to the police
•Police interview the complainant and writes a
report about the crime
•Report is processed and management decides to
start an investigation or log the information in a
police blotter
• Blotter is a historical database of previous crimes

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 16
classroom use.
Following Legal Processes (2 of 2)
• Digital Evidence First Responder (DEFR)
• Arrives on an incident scene, assesses the situation, and takes
precautions to acquire and preserve evidence
• Digital Evidence Specialist (DES)
• Has the skill to analyze the data and determine when another
specialist should be called in to assist
• Affidavit - a sworn statement of support of facts about
or evidence of a crime
• Must include exhibits that support the allegation

• Private-sector investigations involve private companies

and lawyers who address company policy violations and
litigation disputes
• Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
• E-mail harassment, falsification of data, gender and age
discrimination, embezzlement, sabotage, and industrial
espionage

• Businesses can reduce the risk of litigation by publishing

and maintaining policies that employees find easy to
read and follow
• Most important policies define rules for using the
company’s computers and networks
• Known as an “Acceptable use policy”
• Line of authority - states who has the legal right to
initiate an investigation, who can take possession of
evidence, and who can have access to evidence

• Business can avoid litigation by displaying a warning

banner on computer screens
• Informs end users that the organization reserves the right to
inspect computer systems and network traffic at will

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 21
classroom use.
Understanding Private-Sector Investigations
(5 of 8)
Sample text that can be used in internal warning
banners:
• Use of this system and network is for official business
only
• Systems and networks are subject to monitoring at any
time by the owner
• Using this system implies consent to monitoring by the
owner
• Unauthorized or illegal users of this system or network
will be subject to discipline or prosecution

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 22
classroom use.
Understanding Private-Sector Investigations
(6 of 8)
•Businesses are advised to specify an authorized
requester who has the power to initiate
investigations
•Examples of groups with authority
• Corporate security investigations
• Corporate ethics office
• Corporate equal employment opportunity office
• Internal auditing
• The general counsel or legal department

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 23
classroom use.
Understanding Private-Sector Investigations
(7 of 8)
•During private investigations, you search for
evidence to support allegations of violations of a
company’s rules or an attack on its assets
•Three types of situations are common:
• Abuse or misuse of computing assets
• E-mail abuse
• Internet abuse
•A private-sector investigator’s job is to minimize
risk to the company

•The distinction between personal and company

computer property can be difficult with cell
phones, smartphones, personal notebooks, and
tablet computers
•Bring your own device (BYOD) environment
• Some companies state that if you connect a personal
device to the business network, it falls under the same
rules as company property

• Professional conduct - includes ethics, morals, and

standards of behavior
• An investigator must exhibit the highest level of
professional behavior at all times
• Maintain objectivity
• Maintain credibility by maintaining confidentiality
• Investigators should also attend training to stay current
with the latest technical changes in computer hardware
and software, networking, and forensic tools

• The role of digital forensics professional is to gather

evidence to prove that a suspect committed a crime or
violated a company policy
• Collect evidence that can be offered in court or at a
corporate inquiry
• Investigate the suspect’s computer
• Preserve the evidence on a different computer
• Chain of custody
• Route the evidence takes from the time you find it until the case
is closed or goes to court

• Computers can contain information that helps law

enforcement determine:
• Chain of events leading to a crime
• Evidence that can lead to a conviction
• Law enforcement officers should follow proper
procedure when acquiring the evidence
• Digital evidence can be easily altered by an overeager
investigator
• A potential challenge: information on hard disks might
be password protected so forensics tools may be need to
be used in your investigation
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 28
classroom use.
An Overview of a Company Policy Violation
• Employees misusing resources can cost companies
millions of dollars
• Misuse includes:
• Surfing the Internet
• Sending personal e-mails
• Using company computers for personal tasks

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 29
classroom use.
Planning Your Investigation (1 of 5)
A basic investigation plan should include the following
activities:
• Acquire the evidence
• Complete an evidence form and establish a chain of
custody
• Transport the evidence to a computer forensics lab
• Secure evidence in an approved secure container
• Prepare your forensics workstation
• Retrieve the evidence from the secure container
• Make a forensic copy of the evidence
• Return the evidence to the secure container
• Process the copied evidence with computer forensics tools
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 30
classroom use.
Planning Your Investigation (2 of 5)
~ During a crime scene, should the computer be
shutdown and unplugged to collect evidence?

• Case dependant
• Incase of ddos attack the system must be unplugged
and then shutdown
• Operating system’s internal memory process
handles, open files, open ports, open connections
are recorded before unplugging the computer

•An evidence custody form helps you document

what has been done with the original evidence
and its forensics copies
• Also called a chain-of-evidence form
•Two types
• Single-evidence form
-Lists each piece of evidence on a separate page
• Multi-evidence form

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 34
classroom use.
Securing Your Evidence (1 of 2)
• Use evidence bags to secure and catalog the evidence
• Use computer safe products when collecting computer evidence
-Antistatic bags
-Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
• CD drive bays
• Insertion slots for power supply electrical cords and USB cables
• Write your initials on tape to prove that evidence has not been
tampered with
• Consider computer specific temperature and humidity ranges
• Make sure you have a safe environment for transporting and
storing it until a secure evidence container is available
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 35
classroom use.
Procedures for Private-Sector High-Tech
Investigations

• As an investigator, you need to develop formal

procedures and informal checklists
• To cover all issues important to high-tech investigations
• Ensures that correct techniques are used in an investigation

• The majority of investigative work for termination cases

involves employee abuse of corporate assets
• Incidents that create a hostile work environment are the
predominant types of cases investigated
• Viewing pornography in the workplace
• Sending inappropriate e-mails
• Organizations must have appropriate policies in place

• To conduct an investigation you need:

• Organization’s Internet proxy server logs
• Suspect computer’s IP address
• Suspect computer’s disk drive
• Your preferred computer forensics analysis tool

• Recommended steps
• Use standard forensic analysis techniques and procedures
• Use appropriate tools to extract all Web page URL information
• Contact the network firewall administrator and request a proxy
server log
• Compare the data recovered from forensic analysis to the proxy
server log
• Continue analyzing the computer’s disk drive data

• To conduct an investigation you need:

• An electronic copy of the offending e-mail that contains message
header data
• If available, e-mail server log records
• For e-mail systems that store users’ messages on a central
server, access to the server
• Access to the computer so that you can perform a forensic
analysis on it
• Your preferred computer forensics analysis tool

• Recommended steps
• Use the standard forensic analysis techniques
• Obtain an electronic copy of the suspect’s and victim’s e-mail
folder or data
• For Web-based e-mail investigations, use tools such as FTK’s
Internet Keyword Search option to extract all related e-mail
address information
• Examine header data of all messages of interest to the
investigation

• Under attorney-client privilege (ACP) rules for an

attorney
• You must keep all findings confidential
• Many attorneys like to have printouts of the data you
have recovered
• You need to persuade and educate many attorneys on how
digital evidence can be viewed electronically
• You can also encounter problems if you find data in the
form of binary files

• Steps for conducting an ACP case

• Request a memorandum from the attorney directing you to start
the investigation
• Request a list of keywords of interest to the investigation
• Initiate the investigation and analysis
• For disk drive examinations, make two bit-stream images using
different tools for each image
• Compare hash signatures on all files on the original and re-
created disks

• Steps for conducting an ACP case (cont’d)

• Methodically examine every portion of the disk drive and extract
all data
• Run keyword searches on allocated and unallocated disk space
• For Windows OSs, use specialty tools to analyze and extract data
from the Registry
• For binary data files such as CAD drawings, locate the correct
software product
• For unallocated data recovery, use a tool that removes or
replaces nonprintable data

• Steps for conducting an ACP case (cont’d)

• Consolidate all recovered data from the evidence bit-stream
image into folders and subfolders
• Other guidelines
• Minimize written communications with the attorney
• Any documentation written to the attorney must contain a
header stating that it’s “Privileged Legal Communication—
Confidential Work Product”
• Assist the attorney and paralegal in analyzing data

• All suspected industrial espionage cases should be

treated as criminal investigations
• Staff needed
• Digital investigator who is responsible for disk forensic
examinations
• Technology specialist who is knowledgeable of the suspected
compromised technical data
• Network specialist who can perform log analysis and set up
network sniffers
• Threat assessment specialist (typically an attorney)

• Guidelines when initiating an investigation

• Determine whether this investigation involves a possible
industrial espionage incident
• Consult with corporate attorneys and upper management
• Determine what information is needed to substantiate the
allegation
• Generate a list of keywords for disk forensics and sniffer
monitoring
• List and collect resources for the investigation

• Guidelines (cont’d)
• Determine goal and scope of the investigation
• Initiate investigation after approval from management
• Planning considerations
• Examine all e-mail of suspected employees
• Search Internet newsgroups or message boards
• Initiate physical surveillance
• Examine facility physical access logs for sensitive areas

• Planning considerations (cont’d)

• Determine suspect location in relation to the vulnerable asset
• Study the suspect’s work habits
• Collect all incoming and outgoing phone logs
• Steps to conducting an industrial espionage case
• Gather all personnel assigned to the investigation and brief them
on the plan
• Gather resources to conduct the investigation

• Steps (cont’d)
• Place surveillance systems at key locations
• Discreetly gather any additional evidence
• Collect all log data from networks and e-mail servers
• Report regularly to management and corporate attorneys
• Review the investigation’s scope with management and
corporate attorneys

• Becoming a skilled interviewer and interrogator can take

many years of experience
• Interview
• Usually conducted to collect information from a witness or
suspect
- About specific facts related to an investigation

• Interrogation
• Process of trying to get a suspect to confess

• Role as a digital investigator

• To instruct the investigator conducting the interview on what
questions to ask
- And what the answers should be

• Ingredients for a successful interview or interrogation

• Being patient throughout the session
• Repeating or rephrasing questions to zero in on specific facts
from a reluctant witness or suspect
• Being tenacious

• Investigations are conducted on a computer forensics lab

(or data-recovery lab)
• In data recovery, the customer or your company just wants the
data back
• Computer forensics workstation
• A specially configured PC
• Loaded with additional bays and forensics software
• To avoid altering the evidence use:
• Write-blockers devices
- Enable you to boot to Windows without writing data to the evidence drive

• Basic requirements
• A workstation running Windows 7 or later
• A write-blocker device
• Digital forensics acquisition tool
• Digital forensics analysis tool
• Target drive to receive the source or suspect disk data
• Spare PATA or SATA ports
• USB ports

• Additional useful items

• Network interface card (NIC)
• Extra USB ports
• FireWire 400/800 ports
• SCSI card
• Disk editor tool
• Text editor tool
• Graphics viewer program
• Other specialized viewing tools

• Gather resources identified in investigation plan

• Items needed
• Original storage media
• Evidence custody form
• Evidence container for the storage media
• Bit-stream imaging tool
• Forensic workstation to copy and examine your evidence
• Securable evidence locker, cabinet, or safe

• Avoid damaging the evidence

• Steps
• Meet the IT manager to interview him
• Fill out the evidence form, have the IT manager sign
• Place the evidence in a secure container
• Carry the evidence to the computer forensics lab
• Complete the evidence custody form
• Secure evidence by locking the container

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 57
classroom use.
Acquiring an Image of Evidence Media
•First rule of computer forensics
• Preserve the original evidence
•Conduct your analysis only on a copy of the data
•Several vendors provide MS-DOS, Linux, and
Windows acquisition tools
• Windows tools require a write-blocking device when
acquiring data from FAT or NTFS file systems

• Bit-stream copy
• Bit-by-bit copy of the original
storage medium File1 File2 Deleted file
• Exact copy of the original disk
• copy deleted files, e-mail
messages or recover file
Bit-stream copy
fragments
• known as “image” or “image
file”
• Backup copy backup copy
• Backup software only copy
known files
• Backup software cannot copy
deleted files, e-mail messages or
recover file fragments
59
Acquiring an image of evidence media (2 of 2)
Copy image file to a target disk that matches the
original disk’s manufacturer, size and model

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 60
classroom use.
Analyzing Your Digital Evidence (1 of 8)
• Your job is to recover data from:
• OS, applications, logs
• Deleted files
• File fragments
• Complete files
• Memory

• Deleted files linger on the disk until new data is saved on

the same physical location
• Tools can be used to retrieve deleted files
• Autopsy

• Steps to analyze a USB drive

• Start Autopsy
• Create a new case
• Type the case name
• Select the working folder
• Steps to add source data
• Select data source type
• Select image file
• Keep the default settings in the Configure Ingest Modules
window

• Steps to display the contents of the acquired data

• Click to expand Views, File Types, By Extension, and Documents
• Select file to display
• Click Tag and Comment
• Click the New Tag Name button
• Analyze the data
• Search for information related to the complaint
• Data analysis can be most time-consuming task

• With Autopsy you can:

• Search for keywords of interest in the case
• Display the results in a search results window
• Click each file in the search results window and examine its
content in the data area
• Export the data to a folder of your choice
• Search for specific filenames
• Generate a report of your activities
• Additional features of Autopsy
• Display binary (nonprintable) data in the Content Viewer

• You need to produce a final report

• State what you did and what you found
• Include Autopsy report to document your work
• Repeatable findings
• Repeat the steps and produce the same result
• If required, use a report template
• Report should show conclusive evidence
• Suspect did or did not commit a crime or violate a company
policy

• Keep a written journal of everything you do

• Your notes can be used in court
• Answer the six Ws:
• Who, what, when, where, why, and how
• You must also explain computer and network processes
• Autopsy Report Generator
• Can generate reports in different styles: plain text, HTML and
Excel

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 70
classroom use.
Critiquing the Case
•Ask yourself the following questions:
• How could you improve your performance in the case?
• Did you expect the results you found? Did the case
develop in ways you did not expect?
• Was the documentation as thorough as it could have
been?
• What feedback has been received from the requesting
source?
• Did you discover any new problems? If so, what are they?
• Did you use new techniques during the case or during
research?
© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 71
classroom use.
Summary (1 of 3)

• Digital forensics involves systematically accumulating

and analyzing digital information for use as evidence in
civil, criminal, and administrative cases
• Investigators need specialized workstations to examine
digital evidence
• Public-sector and private-sector investigations differ;
public-sector typically require search warrants before
seizing digital evidence

© 2019 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for 72
classroom use.
Summary (2 of 3)
• Always use a systematic approach to your investigations
• Always plan a case taking into account the nature of the
case, case requirements, and gathering evidence
techniques
• Both criminal cases and corporate-policy violations can
go to court
• Plan for contingencies for any problems you might
encounter
• Keep track of the chain of custody of your evidence

• Internet abuse investigations require examining server

log data
• For attorney-client privilege cases, all written
communication should remain confidential
• A bit-stream copy is a bit-by-bit duplicate of the original
disk
• Always maintain a journal to keep notes on exactly what
you did
• You should always critique your own work

SCI4201 Lecture 1 - Overview
100% (1)
SCI4201 Lecture 1 - Overview
45 pages
The Threat Environment: Attackers and Their Attacks
No ratings yet
The Threat Environment: Attackers and Their Attacks
8 pages
Chap 01
No ratings yet
Chap 01
65 pages
Chapter 01
No ratings yet
Chapter 01
54 pages
CH 1
No ratings yet
CH 1
55 pages
Guide To Computer Forensics and Investigations Fifth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fifth Edition
76 pages
1 Intro To Forensicsv1
No ratings yet
1 Intro To Forensicsv1
23 pages
Lecture 1_APIC 1.2.3 (1)
No ratings yet
Lecture 1_APIC 1.2.3 (1)
48 pages
4482 For L1
No ratings yet
4482 For L1
93 pages
CF Lecture 02-Digital Forensics and Cyber Crimes
100% (1)
CF Lecture 02-Digital Forensics and Cyber Crimes
43 pages
CH 01
No ratings yet
CH 01
39 pages
CH 01
No ratings yet
CH 01
54 pages
Topic01 Understanding DF
No ratings yet
Topic01 Understanding DF
52 pages
PPT ch01
No ratings yet
PPT ch01
39 pages
Guide To Computer Forensics and Investigations
No ratings yet
Guide To Computer Forensics and Investigations
39 pages
Nelson 04
No ratings yet
Nelson 04
71 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
57 pages
Unit Ii CF
No ratings yet
Unit Ii CF
39 pages
Introduction to Forensics (2)
No ratings yet
Introduction to Forensics (2)
57 pages
Lecture 3 - in Detail
No ratings yet
Lecture 3 - in Detail
57 pages
Chapter 1 - Computer Forensics and Investigations as a Profession
No ratings yet
Chapter 1 - Computer Forensics and Investigations as a Profession
43 pages
Lecture 1a Digital Forensic
No ratings yet
Lecture 1a Digital Forensic
40 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
79 pages
LECTURE 1. Cyber Sec and Digital Forensics
100% (1)
LECTURE 1. Cyber Sec and Digital Forensics
76 pages
Unit Ii CF
No ratings yet
Unit Ii CF
97 pages
4680 ch01
No ratings yet
4680 ch01
39 pages
Guide To Computer Forensics and Investigations Fourth Edition
No ratings yet
Guide To Computer Forensics and Investigations Fourth Edition
70 pages
Digital Forensics
No ratings yet
Digital Forensics
23 pages
Gcfi6e Im Ch04
No ratings yet
Gcfi6e Im Ch04
16 pages
Gcfi6e Im Ch01
No ratings yet
Gcfi6e Im Ch01
20 pages
Lecture 5 Processing Crime and Incident Scenes
No ratings yet
Lecture 5 Processing Crime and Incident Scenes
66 pages
Fallsem2023-24 Cse4004 Eth2
No ratings yet
Fallsem2023-24 Cse4004 Eth2
42 pages
SCI4201 Lecture 5 - Processing Crime and Incident Scenes
No ratings yet
SCI4201 Lecture 5 - Processing Crime and Incident Scenes
66 pages
INCS-712: Computer Forensics Cyber Forensics, Crime Scene Analysis
No ratings yet
INCS-712: Computer Forensics Cyber Forensics, Crime Scene Analysis
50 pages
BISF 2204 CLASS TASK 1
No ratings yet
BISF 2204 CLASS TASK 1
16 pages
DF-L06-Processing Crime and Incident Scenes
No ratings yet
DF-L06-Processing Crime and Incident Scenes
71 pages
Computer Forensics and Investigations As A Profession
No ratings yet
Computer Forensics and Investigations As A Profession
34 pages
2 Understanding DFI - Xid-10667290 - 2
No ratings yet
2 Understanding DFI - Xid-10667290 - 2
41 pages
Introduction To Digital Forensics
50% (2)
Introduction To Digital Forensics
28 pages
Unit10
No ratings yet
Unit10
19 pages
Guide To Computer Forensics and Investigations, Second Edition
No ratings yet
Guide To Computer Forensics and Investigations, Second Edition
15 pages
Computer Forensic 3
No ratings yet
Computer Forensic 3
19 pages
Computer Crime and Computer Forensics: Investigative Techniques
No ratings yet
Computer Crime and Computer Forensics: Investigative Techniques
37 pages
Unit 01
No ratings yet
Unit 01
34 pages
CH 01
No ratings yet
CH 01
8 pages
Module Code: Comp40571 Module Title: Computer Forensics Module Leader: DR John Haggerty
No ratings yet
Module Code: Comp40571 Module Title: Computer Forensics Module Leader: DR John Haggerty
15 pages
Lec 4
No ratings yet
Lec 4
40 pages
Cyber Forensics & Investigation: An Introduction
No ratings yet
Cyber Forensics & Investigation: An Introduction
45 pages
Career in Computer Forensics
No ratings yet
Career in Computer Forensics
6 pages
CF-UNIT-I PPT (1)
No ratings yet
CF-UNIT-I PPT (1)
49 pages
Lecture 1 Introduction to Digital Forensics
No ratings yet
Lecture 1 Introduction to Digital Forensics
65 pages
Module 1 - Introduction To Digital Investigation and Forensics
No ratings yet
Module 1 - Introduction To Digital Investigation and Forensics
34 pages
Module-V Cyber Crime and Incident Response
No ratings yet
Module-V Cyber Crime and Incident Response
91 pages
Digital
No ratings yet
Digital
86 pages
Digital Forensics: Module 1: Computer Forensics and Investigation
No ratings yet
Digital Forensics: Module 1: Computer Forensics and Investigation
33 pages
1st lecture Digital Forenciscs - DFS
No ratings yet
1st lecture Digital Forenciscs - DFS
34 pages
DF Notes Sem8 Comps BW
No ratings yet
DF Notes Sem8 Comps BW
83 pages
df_unit1_pdf_26-9-24
No ratings yet
df_unit1_pdf_26-9-24
26 pages
unit 5 understanding computer forensics
No ratings yet
unit 5 understanding computer forensics
47 pages
RV Lawyer: The Use of Technology for Remote Lawyering
From Everand
RV Lawyer: The Use of Technology for Remote Lawyering
Richard M. "Rick" Georges
5/5 (1)
Cyber Forensics and Investigation on Smart Devices: Volume 1
From Everand
Cyber Forensics and Investigation on Smart Devices: Volume 1
Akashdeep Bhardwaj
No ratings yet
NHS Information Technology Policy
No ratings yet
NHS Information Technology Policy
15 pages
KAV - CG Mini Project Report Format
No ratings yet
KAV - CG Mini Project Report Format
5 pages
Internet Brings More Harm Than Good
33% (3)
Internet Brings More Harm Than Good
11 pages
Classical Cryptography: Kunwar Singh NIT Trichy
No ratings yet
Classical Cryptography: Kunwar Singh NIT Trichy
31 pages
National Intelligence Strategy 2019
No ratings yet
National Intelligence Strategy 2019
36 pages
Anonymous Operations and Techniques
No ratings yet
Anonymous Operations and Techniques
26 pages
The Evolution of Technology For The Accounting Profession
No ratings yet
The Evolution of Technology For The Accounting Profession
8 pages
Workshop Solutions
No ratings yet
Workshop Solutions
46 pages
Advances in Digital Forensics X PDF
No ratings yet
Advances in Digital Forensics X PDF
336 pages
Wolfcom 3rd Eye Police Camera Brochure
No ratings yet
Wolfcom 3rd Eye Police Camera Brochure
14 pages
3b Extensive-Form Games
100% (1)
3b Extensive-Form Games
17 pages
Practice test 40*
No ratings yet
Practice test 40*
6 pages
CSS 3rd Quarter Exam
100% (3)
CSS 3rd Quarter Exam
2 pages
SQL Injection - Project Report
No ratings yet
SQL Injection - Project Report
14 pages
83.development of Anti Rigging Voting System Using Finger Print
100% (1)
83.development of Anti Rigging Voting System Using Finger Print
4 pages
Numb
No ratings yet
Numb
25 pages
The Magic Cafe Forums - Bert Reese Information
No ratings yet
The Magic Cafe Forums - Bert Reese Information
5 pages
Unit 1
No ratings yet
Unit 1
3 pages
Bus Part B2P ReadingBank U7
No ratings yet
Bus Part B2P ReadingBank U7
2 pages
MTT34 FINALforweb
No ratings yet
MTT34 FINALforweb
24 pages
Proclamation No 808 2013 Information Network Security Agency
100% (1)
Proclamation No 808 2013 Information Network Security Agency
8 pages
Cpni 20124
No ratings yet
Cpni 20124
2 pages
Lecture2 Hand
No ratings yet
Lecture2 Hand
12 pages
Rooms For Myanmars in Singapore: Common Bedok
No ratings yet
Rooms For Myanmars in Singapore: Common Bedok
7 pages
CyberCrimes Cyber Prevention
No ratings yet
CyberCrimes Cyber Prevention
11 pages
_OceanofPDF.com_Eleanor_Jones_cant_keep_a_secret_-_Amy_Doak
No ratings yet
_OceanofPDF.com_Eleanor_Jones_cant_keep_a_secret_-_Amy_Doak
207 pages
1 - Unit 5 - Assignment 1 Guidance
No ratings yet
1 - Unit 5 - Assignment 1 Guidance
3 pages
Non Disclosure Agreement
No ratings yet
Non Disclosure Agreement
3 pages
National Highway Division - Ahmedabad
100% (1)
National Highway Division - Ahmedabad
4 pages

DF-L02-Understanding The Digital Forensics Profession and Investigations

Uploaded by

DF-L02-Understanding The Digital Forensics Profession and Investigations

Uploaded by

Guide to Computer Forensics

•Existing laws can’t keep up with the rate of

Digital investigations fall into two categories:

• Private-sector investigations involve private companies

• Businesses can reduce the risk of litigation by publishing

• Business can avoid litigation by displaying a warning

•The distinction between personal and company

• Professional conduct - includes ethics, morals, and

• The role of digital forensics professional is to gather

• Computers can contain information that helps law

•An evidence custody form helps you document

• As an investigator, you need to develop formal

• The majority of investigative work for termination cases

• To conduct an investigation you need:

• To conduct an investigation you need:

• Under attorney-client privilege (ACP) rules for an

• Steps for conducting an ACP case

• Steps for conducting an ACP case (cont’d)

• Steps for conducting an ACP case (cont’d)

• All suspected industrial espionage cases should be

• Guidelines when initiating an investigation

• Planning considerations (cont’d)

• Becoming a skilled interviewer and interrogator can take

• Role as a digital investigator

• Ingredients for a successful interview or interrogation

• Investigations are conducted on a computer forensics lab

• Additional useful items

• Gather resources identified in investigation plan

• Avoid damaging the evidence

• Deleted files linger on the disk until new data is saved on

• Steps to analyze a USB drive

• Steps to display the contents of the acquired data

• With Autopsy you can:

• You need to produce a final report

• Keep a written journal of everything you do

• Digital forensics involves systematically accumulating

• Internet abuse investigations require examining server

You might also like