Scribd
Upload
9 views

CFORP L07 Forensic Investigation and Analysis Process

Uploaded by

analindatoh.at
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
9 views

CFORP L07 Forensic Investigation and Analysis Process

Uploaded by

analindatoh.at
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Topic 4 Part 2

Forensic Investigation and


Analysis Process

Learning objectives –
To describe and apply the steps in forensic
investigation and analysis process

IT3563 2022 S2 Lecture 1


Forensic Investigation and
Analysis Process
• Challenges in Digital Forensics
• Crime Screen Process Model
• USA Department of Justice Digital
Forensic Analysis Methodology
• Preparation and Extraction
• Identification
• Analysis
• Hash Libraries for known files

IT3563 2022 S2 Lecture 2


Challenges in Digital Forensics
 Technical challenges
- e.g. differing media formats, encryption, steganography,
anti-forensics, live acquisition and analysis.
- Correlation of activity between machines/devices

 Legal challenges
- e.g. Non-localization of data, ownership and accessibility
of data, jurisdictional issues, privacy issues and a lack of
standardized international legislation.
- Social Media and Cloud Forensics
- Better auditing of investigative process

 Resource challenges
- e.g. volume of data, time taken to acquire and analyze
forensic media.
- Triage of large quantities of data
- The need for faster examination processes
IT3563 2022 S2 Lecture 3
Crime Scene Process Model
•and isolated
Preserve the digital
crime scene

•the crime
scene for
Survey obvious
evidence

•the crime
Document scene

•For
Search remaining
evidence

• Events to
determine
Reconstruct how evidence
got here

IT3563 2022 S2 Lecture 4


USA Department of Justice Digital Forensic
Analysis Methodology

IT3563 2022 S2 Lecture 5


Process Deliverables
 Search Leads
◦ Example - sample credit numbers in a stolen credit
numbers case
 Extracted Data
◦ Example – Processed hard drive image using
EnCase
 Relevant Data
◦ Example – files contain credit numbers and images
of credit cards
 New Data Source Leads
◦ Example – email addresses, transaction logs in
other servers
 Analysis Results
◦ Example – files contain credit numbers that match
the numbers provided by the requester
IT3563 2022 S2 Lecture 6
Pop-Quiz Time
 What are the search leads when a
staff is suspected disclosing
customer information to outsiders?
 Ans>

IT3563 2022 S2 Lecture 7


Pop-Quiz Time
 What are the search leads when a
staff is suspected disclosing
customer information to outsiders?
 Ans> The search leads could be a
sample of the customer name, the
staff login account name, IP address
of the staff ’s computer.

IT3563 2022 S2 Lecture 8


USA DOJ Digital Forensic
Analysis Methodology

Read the details in below link:


https://www.crime-scene-investigator.net/computer-forensics-digital-forensic-analysis-methodology.html

IT3563 2022 S2 Lecture 9


When to stop the iteration of
the process?
 Return on Investment
◦ Return on investment determines when
to stop this process. Typically, after
enough evidence is obtained for
prosecution, the value of additional
forensic analysis diminishes.

IT3563 2022 S2 Lecture 10


List down the steps to extract and analyse
the data in the image of a mobile phone
Case Brief
CASE NAME: Unauthorized access to customer information database
SUSPECT : Olivia Robson
EVIDENCE : Samsung Android phone from Olivia Robson
On 12 May 2019, in the office of NE-Tech, during a quarterly audit on
outgoing emails, information security officer Jack Nelson found an email
attachment contained a list of customers and their contact information.
The email message was sent out on 23 April 2019 8pm by one of the
employees Olivia Robson to an email address [email protected]. Jack
submitted an incident report to the CEO Arnold Polgar. After reviewing the
incident report, Mr. Polgar decided to call the police.
On the same day, police officers arrested Olivia at his home and seizure
Olivia’s Samsung Android phone. The Olivia’s phone was sent to a forensic
lab in the police office. Assuming that you are the assigned forensic
investigator to examine and analyze the evidence in the phone.

IT3563 2022 S2 Lecture 11


The steps to extract and analyse the data in
the image of a mobile phone
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)

IT3563 2022 S2 Lecture 12


The steps to extract and analyse the data in
the image of a mobile phone
1) Create an image of the mobile phone using a forensic tool
with a write blocker
2) Create a new case and add the image of the mobile phone
into the case
3) Process the image to recover deleted SMS messages,
email messages, phone call details, photos
4) Do a keyword search on the search lead
[email protected]
5) Read through the hits to recover the name, contacts, SMS
messages, email messages related to this person
6) Identify other persons that might involve
7) Identify other data sources that contain evidence

IT3563 2022 S2 Lecture 13


Quantities of extracted data
are overwhelming
 Extracted data in a Windows system
◦ Recycle Bin and INFO records
◦ Link files
◦ Recent folder
◦ Desktop folder
◦ My Documents folder
◦ Send To folder
◦ Favourites folder
◦ Cookies folder
◦ History folder
◦ Temporary Internet files
◦ Swap and Hibernation files
◦ Printing artifacts
◦ Windows shadow copy
◦ Windows event logs

IT3563 2022 S2 Lecture 14


Methods to speed up examination and
analysis process
 Reduce searching time
◦ Obtain a clear and specific list of search leads
from the requester
◦ Do key words searching instead of browsing
◦ Timeline analysis – reconstruct events in
chronological order
◦ File signature analysis - use hash library of
known illicit images, hacker tools to locate
evidence
 Reduce data size for analysis
◦ Skip (or remove) known system files in the
search of the disk images
◦ Using hash set of known files

IT3563 2022 S2 Lecture 15


Use of hash library in analysis
of extracted data
 Analysing a large set of files by identifying
and matching the unique hash value of each
file is an important part of the digital
forensics process. Using the hash library
feature of a forensic tool, you can import or
custom build a library of hash sets, allowing
you to identify file matches in the examined
evidence.
 National Software Reference Library NSRL
provides downloadable hash sets called
Reference Data Set (RDS).
IT3563 2022 S2 Lecture 16
Pop-Quiz Time
 How do you reduce the data size for
forensic examination & analysis?
 Ans>

IT3563 2022 S2 Lecture 17


Pop-Quiz Time
 How do you reduce the data size for
forensic examination & analysis?
 Ans>
◦ Skip known system and application files
in the search of the disk images by using
hash set of known files.

IT3563 2022 S2 Lecture 18


Use of hash library in analysis
of extracted data
 Hashing creates a digital fingerprint of a file. A fundamental
property of all hash functions is that if two hashes (calculated
using the same algorithm) are different, then the two inputs
(files) are different in some way. On the other hand, matching
hash values strongly suggests the equality of the two inputs
(files).
 Digital forensics analysts often create different hash sets of
known illicit images, hacker tools, or non-compliant software
to quickly isolate known "bad" files in evidence. Hash sets
can also be created to identify files whose contents are
known to be of no interest, such as operating system files
and commonly used applications. Hash sets are distributed
and shared among users and agencies in multiple formats.
These formats include NSRL, EnCase hash sets, Bit9, and
others.

IT3563 2022 S2 Lecture 19


Use of hash library in analysis
of extracted data
 Until recently, the hash set standard to
identify a file was the MD5 hash calculation.
Large hash distribution sets, such as the
NSRL set, are now distributed using the
SHA-1 hash calculation. Most forensic tools
support hash libraries using MD5 or SHA-1
 One disadvantage of skipping or removing
known system and application files is some
application files may be used by suspects to
commit crimes
IT3563 2022 S2 Lecture 20
Pop-Quiz Time
 State one advantage and
disadvantage of skipping known
system and application files in
analysis.
 Ans>

IT3563 2022 S2 Lecture 21


Pop-Quiz Time
 State one advantage and
disadvantage of skipping known
system and application files in
analysis.
 Ans>
The advantage is to reduce the data
size for processing.
The disadvantage is that some
known application files could be
used by suspects to commit crimes.

IT3563 2022 S2 Lecture 22


Summary
• Crime Screen Process Model
• USA Department of Justice Digital
Forensic Analysis Methodology
• Preparation and Extraction
• Identification
• Analysis
• Hash Libraries for known files

IT3563 2022 S2 Lecture 23


References
1. Digital Forensic Analysis Chart, US
Department of Justice
2. Forensic Examination of Digital
Evidence – A Guide for Law
Enforcement, US Department of
Justice

IT3563 2022 S2 Lecture 24

You might also like