Module 02 Designed by . Presented by Professionals. tila Pcs ‘omputer INVESTIGATORSECURITY NEWS ED ‘April 08, 2011 The 17-officer agency in semirural Geauga County will be adding computerforensics to its repertoire this year. Five-year officer Chuck Pirnat recently was trained in tis specialization ~ pertaining to recovery of electronic evidence found in computers and digital storage media ~ and will be putting itto use once the $13,100worth of equipment has arrived. ." Chief Tim McKenna said. "I can see it being used in a vast numberof investigations... I's just the wave of the future, crimes on computers.” Until now, Chardon and most other area departments relied on outside agencies, such asthe Bureau of Criminal Identification and investigation in Fichfeld, for digital forensic. " "said Pirnat, who was traieedvia a three-week, grant-funded course oftered by the National white Collar Crime Center. This evidence is currently being everlooked by many agencies in the law enforcement field ~ geographic location information containedin celular phones, metadata in picture file, recovery of deleted and or hidden files on computer systems, just to mentiona few. htto://uwew tmcoet.com Ce aad eae eee)Module Objectives —<————— Investigating Computer Crime @ Secure the Evidence Before the Investigation @ Acquire the Data ® Computer Forensic Investigation ®@ Analyze the Data Methodology | Assess Evidence and Case ® aie pean pombe ama, @ Prepare the Final Report © Obtain Search Warrant = ane the Coutes an Expert @ Evaluate and Secure the Scene © Computer Forensics Service Collect the Evidence Providers Seated Sees naaBreet Ute) @) Determine if an incident has occurred aS (2) Find and interpret the clues left behind (3) Conduct preliminary assessment to search for the evidence (4) Search and seize the computer’s equipment Copyright© by eee aesthe Investigation Have work station and data recovery lab Build investigating team Enter into alliance with a local district attorney Review policies and laws Notify decision makers and acquire authorization Assess risks Build a computer investigation toolkit RIK 1K 1 141K 14 [< Define the methodology CHFI : e ery DOE ae ee aesBuild a Forensics Workstation © Computer forensics approach should be clearly defined before @Lia building the forensic workstation © The computer forensics workstation == should have facilities and tools to: © Support hardware-based local and remote network drive duplication € 9 © Validate the image and the file’s integrity ee © Identify the date and time when the files have been modified, accessed, €—==9 or created | © Identify the deleted files - © Support the removable media ee © Isolate and analyze free drive space Cae oe eee eee!Building the Investigation Team Determine the person —— Pe ee ere) 7 nipaewal tea ges oreo ere ; S ee eer eet ror oa ‘successful internal ener Penny computer investigation ’ i i r Cee iy Paarl | eae OE q PORMERC RES LSM eer eue eT) Bera Gro sec investigation team if yourPeople Involved in Computer Forensics © Attorney Expert Witness © Gives legal advice Offers a formal opinion as a testimony inthe court of law © Photographer Photographs the crime scene Evidence Manager © and the evidence gathered Manages the evidence in such a way that itis admissible in the court of law © incident Responder Responsible for the measures to be taken when Evidence Documenter @ an incident occurs Documents all the evidence and the phases present in the O Decision Maker investigation process Responsible for authorization of 2 policy or procedure for the ° ° investigation process Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence Incident Analyzer Analyzes the incidents based on their occurrence ede Coa ae ae)Review Policies and Laws Und It is essential to understand the laws that apply to the investigation including the internal organization policies before starting the investigation process Identify possible concerns related to applicable Federal statutes (such as the Electronic Communications Privacy Act of 1986 (ECPA) and the Cable Communications Policy Act (ccPA), both as amended by the USA PATRIOT ACT of 2001, and/or the Privacy Protection ‘Act of 1980 (PPA)), State statutes, and local policies and laws Determine the extent of the authority to search Determine the legal authorities for conducting an investigation Consult with a legal advisor with issues raised for any improper handling of the investigation Ensure the customer's privacy and confidentiality Copyright© by De oe eee!4 5, Forensics Laws (Cont’d) 18 USC §1029 - Fraud and related activity Rule 901 - Requirement of authentication in connection with access devices or identification Rule 608 - Evidence of character and 418 USC §1030 - Fraud and related activity in connection with computers conduct of witness 18 USC §1361-2 - Prohibits malicious mischief Rule 402 - Relevant evidence generally @) admissible; Irrelevant evidence inadmissible Rule 609 - Impeachment by evidence of conviction of crime Rule 502 - Attorney-Client privilege and work product; Limitations on waiver ® ® @ Cad Dee ea ae aesUE cu ea aad - Opinion testimony by lay witnesses - Disclosure of facts or data underlying expert opinion SEC and Cal eue Ce en ee aesNotify Decision Makers and Acquire Authorization 1. Decision makers are the people who implement policies and procedures for handling an incident 2. Notify the decision maker to be authorized when there is no written incident response policies and procedures 3. After the authorization, assess the situation and define the course of action Best practices to get authorization Obtain the authorization Document all the events Depending on the scope of the from an authorized and decisions that occurred incident and absence of any decision maker to conduct during the incident and national security issues or life vestigation incident response safety issues, the first priority is to protect the organization from further harm Catae AllRights Reserved. Reproduction Strictly Prohibited,Risk Assessment = a A caused to the computer due to the incident — e = [=e evices and systems being affected by the incident ident from spreading Crea daeieeoaed Dae eee ae)Build a Computer Investigation Toolkit Ee eay Kou eces 4 cad Alaptop computer with appropriate software tools Basic networking oo equipment and © - ee &n ss be stant media ER a Operating systems nF and patches ic Application media CHFI @ue Peed ee ete eelSteps to Prepare for a Computer Forensics Investigation (Cont’d) guidelines and tools to maintain the integrity of evidence and ensure its admissibility Investigator should have knowledge of standard evidence handling procedures, in a court of law Collect and secure all the evidence and media collected from the crime scene Keep all the processes and policy implementations in abeyance that may damage the integrity of evidence requirement, investigation techniques and urgency of the forensic Perform a preliminary assessment of the crime scene and determine the data investigation Collect the information about all the evidence collected, their operating environments and interdepencies Cade All fights Reserved. Reproduction i Strict! ProhibitedSteps to Prepare for a Computer Forensics Investigation Try to unlock the password protected or encrypted files Gather the available information such as email addresses, list of names, etc. that might assist in forensic investigation Note down the user(s) who accessed computer prior to investigator securing the image, try to find out what files they accessed, when this occurred and reason of accessing computer Maintain chain of custody for the original media which indicates the location, possession of the media has been and reason for that possession Search for relevant data by developing a list of key words or phrases Ke) ®®O®O®@® eae eee eae)Computer Forensics Investigation Obtain Search Warrant Evaluate and Secure the Scene Assess Evidence and Case Final Report Expert Witness CHFI e 3 aaa Oe eee)Obtain Search Warrant To carry out an investigation, a search warrant from a court is required If agents remove the system from the premises to conduct the search, must Warrants can be issued for an entire they return the computer system, or company, a floor ,a room, a device, copies of the seized data, to its eo °° acar,a house, or any company- cowner/user before trial? owned property g % oe e Is it practical to search the computer e system on site, or must the Ee f 4 Where will this search be examination be conducted at a field conducted? office, or laboratory? Copyright © by CO Ne eee aesExample of Search Warrant Coda CO eee eeSearches Without a Warrant >, ae g ©)» @ Destruction of Evidence @ oo 2 Agents 2] ‘When destruction of evidence is aoa _ pong ents may search a place or object without a warrant of for / “ CCE) that matter, without probable cause, if a person with authority has consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973) 2@ 2Computer Forensics Investigation Obtain Search | Warrant a Vv Secure the Evidence Acquire the Data ‘ hed as Hm aya [Al Expert Witness watt Prepare the Final Report C9 tat © e Cele Oe ee eee Ne)Forensics Photography Digital photography helps in correcting the perspective of the image which is used in taking the measurements of the evidence Snapshots of the evidence and the incident prone areas need to be taken to help in the forensic process Digital photography helps to Take the photographs of all th capture, edit, and transfer the ee ee ee evidence or that which helps in it fast fi ape fete evidence finding = Photograph the evidence after Label the photographed evidence the label is applied according to the methodology Cuda Coa ae ae)When an incident occurs, the following information should be gathered: Date and time Place and location of the incident Evidence from a volatile system and non- volatile system Details of the person(s) present at the crime Name and identification of the people or person who can serve as a potential witness ea aadal eae eeFirst Responder Law oe Cony collecting the evidence, Pee eed eee Crea aanemed eee esComputer Forensics Investigation ® ai Obtain Search Warrant Testify as an Expert Witness C9 ia] © ® eer ee eee Ne)Collect Physical Evidence Collect electronic devices or any other media found at the « crime scene ‘o preserve the integrity of the physical evidence, Mai the pleces of evidence : collected should be handled carefully The physical evidence includes: © Removable media © Cables © Publications © All computer equipment, including peripherals © Items taken from the trash © Miscellaneousitems The tag provides detailed information about the i evidence “sessueen, The objects identified as evidence should be tagged Cc ere ae)Evidence Collection Form Evidence Collection Form Sr Te cl fern raas Peon A eo Dee Lat Cee een Ld 4 Baers 6 cures ts a ame 2 [ a) Sd aa eee ere eeCollect (Cont’d) List the systems involved in the incident and from which systems . evidence can be collected )) For each system, obtain the {relevant order of volatility the extent of the clock drift Capture the electronic serial Simiber of the drive and other \)\ Write protect and virus check all user-accessible, host-specific data edie (0 maintain chee of the media C/HFI ® 4 ere ee et ae)Collect Electronic Evidence Dre aiece Pet meric Se eect i FO SUC | ge Ce aes site) Smee ts diskettes and other portable media) _/ CeliaGuidelines for Acquiring Evidence Sample banners are.used to record the when used by the. unauthorized user in , organizations give clear and unequivocal notice to intruders that, by signing onto the system they are expressly consenting to such monitoring The equipments seized which is connected to the case, knowing the role of the ‘computer which will indicate what should be taken 1cess, the computer should not be Ensure that the examiner's storage device is when acquiring the evidence Write protection should be initiated, ifavailable, to and, the (oo Ks os k=) i oe a original evidence = a Led Codecs Ceca ae)Computer Forensics Investigation ‘Obtain Search Warrant Testify a5 an Expert Witness ‘Assess Evidence and Case C91] . Cente Cee oe tiarsc!‘) Secure the evidence without damaging the: Place the evidence ina secured site by not allowing any intruders to access it g ‘Maintain the chain of custody to properly track the evidence Identify digital and non digital artifacts to separate the evidence according to their behavior Secure the . Maintain a log book at the entrance of the | ) to lo Evidence and name of the person visited Place an intrusion alarm system in the entrance of the forensic lab Contact aw enforcement agencies to know how to preserve the evidence Ceara Cee eae!Evidence Vianagement ecard P ot ——_——e PI ant fan i Cea eee eee eseChain of Custody Chain of custody is a legal document that demonstrates the progression of evidence as it travels from original evidence location to the forensic laboratory Functions The chain of custody form handling, storage, testing, ee sr nog een Safeguards against perms tampering with or " " peters Se ee oy Re o ere cd Dad Cea ee ae aesChain of Custody Form caseNo.# Client Ref. # Client item # Description: Make: Model: Serial # Other Identifying # Client item # Description: Make: Model: Serial § Other Identifying # Client item # Description: Make: Model: Serial # Other Identifying # Client item # Description: Make: Model: Serial # Other Identifying # Client item #’s Date/Time Released By Received By Reason Date Name/Client Name/Cient Time Signature Signature Dn ed.Computer Forensics Investigation Obtain Search Evaluate and Warrant Secure the Scene - a. Va Expert Witness ‘and Case CHFI a ? ry Coe eee aesOriginal Evidence Should NEVER Be Used for Analysis C9 e@uve Cer ee ae ce sec)Duplicate the Data (Imaging) The data should be Duplicate the data to duplicated bit by bit to preserve the original data i j represent the same original data The data can be duplicated either The duplicated data is sent to the forensic lab - A for further analysis : SO ee software Copyright © by Cea Ree aesVerify MDS Hash Evidence Hash Value Tools Same hash values the MDS hash for shows that the the original evidence and the forensic image Cie DO ae ea asMD5 Hash Calculators: "i and Hi sence 1s cio asforet oat meee ie [ieee =] Nemes [Tetatg =] Coty cee)Recover Lost or Deleted Data Recover Data React] Bo loe NY ig M1) Collect Data Ceo sega ekg cc) ; Preemie mL internal and external Fee cea Cetra tio Re a Rae ase eal a Cd ay © Total Recall Lt) Ce eh deel All Rights Reserved. Reproduction is Strictly Prohibited.Data Recovery Software Taal Sooketeee Bee ees | Peete ree an Le) Poet eee ert erat) eae anh eee) CjHFI @2@ Cereal : Dee een)Computer Forensics Investigation (* > = a = ~ acs eae ‘the Data AR] = isi Ae ¥ ae aaa rawr (ALA ‘and Case Final Report Expert Witness 6 i@ < C9 ta : » CteData Analysis Thoroughly analyze the acquired data to draw conclusions related to the : case _ \ be Data analysis techniques depend on the scope of the case or client’s requirements This phase includes: © Analysis of the file’s content, date and time of file creation and modification, users associated with file creation, access and file modification, and physical storage location of the file © Timeline generation Identify and categorize data in order of relevance Cae Cee ee)Data Analysis Tools lead Ra Sue US Chu ed rR keira ie eu Ur cielo Paya Uren acuta sie Geletices a CHFI Xara Evidence Processing Dre ae tol Cane Cet eee oe Mee)Computer Forensics Investigation = Evaluate and Secure the Scene Obtain Search Warrant Analyze the Data LT) Prepare the Testify asan Final Report Expert Witness CHFI Ciao ee eee eee esEvidence Assessment S XM Fee Ered Conduct a thorough assessment by reviewing the search warrant or other legel authorization, case detail, nature thoroughly assessed with respect of the hardware and software, potential to the scope of the case to evidence sought, and the circumstances determine the course of action surrounding the acquisition of the evidence to be examined Conduct a Thorough Assessment a The digital evidence should be Cael Cece ea aesCase Assessment (Cont’d) Review the case investigator's request for service Determine the potential evidence being sought (e.g photographs, spreadsheets, documents, databases, and nancial records) Identify the legal authority for the forensic ‘examination request Discuss whether other forensic procasses need to be performed ‘on the evidence (e.g., DNA analysis, fingerprint, tool marks, trace, and questioned documents) genet aeaaie custody Cae eg eae eseCase Assessment Discuss the possibility of pursuing other investigative avenues to obtain additional digital evidence (e.¢., sending a preservation order to an Internet service provider (ISP), identifying remote storage locations, obtaining email) Consider the relevance of peripheral components to the investigation; for example, in forgery or fraud cases, consider non-computer equipment such as laminators, check paper, scanners, and printers (In chile pornography cases, consider digital cameras) Determine additional information regarding the case (e.g., aliases, email accounts, ISP used, names, network configuration, system logs, pesswords) which may be obtained through interviews with the system administrator, users, and employees, Copright © by eae eae)Processing Location Assessment i Ca) Pe RUC OCLC) ™ itis preferable to complete the examination in a eT rel UU Le eee Leola lt eee ea PR iene nce une) OTE ola cod else Mae isu Lac as BTU Cid see uae > Thetime needed onsite to accomplish evidence oon a eae cr eon eu eee rh ee > The suitability of the equipment, resources, media, ‘raining, and experience for an onsite examination ed J ComeyBest Practices to Assess the Evidence Analyze the physical and logical evidence for their value to the case Use a safe cabinet to secure the Review the files’ names evidence for relevance and patterns a Examine network service logs for Correlate the file headers to any events of interest the corresponding file extensions to identify any Examine the large amount of host data, mismatches Df ——O where only » portion otther cata mielt be relevarn tothe inside Perform offline analysis on a bit-wise a copy of the original evidence Search the contents ofall gathered files to help identity files that may be of interest Review the time and date stamps in the file system metadata Caled ee ete aesComputer Forensics Investigation CHFI Ceuta CO eta ca esDocumentation in Each Phase ‘Access the Data Acquire the Data Analyze the Data © Aninitial estimate of the impact «© Create a check-in/check-out © Document the information of the situation on the lst that includes information regarding the number and organization's business such as the name of the type of operating system(s) © Summaries of interviews with Peon ermine the © tocmen ta Eeee Users and system administrators evidence, the exact date an ae ai 31 fea and Husted ares ° rani o eed Big Feuy interactions and time they return it installed applications © Reports and logs generated by tools used during the © Document the user's assessment phase configuration settings © Approposed course of action a 6 | Cae Oe ae ee eelGather and Organize Information Documentation in each phase should be “identified for its relevance in the investigation ‘to gather and organize the required Gather all notes from the Assess, Acquire, and Analyze phases Identify parts of the documentation that are relevant to the investigation Identify facts to support the conclusions you will make in the report Y Create a list of all evidence to be submitted with the report List any conclusions you wish to make in your report Organize and classify the information you gathered to ensure that you get a clear and concise report cael Re ce ee aes)Writing the Investigation Report (Cont’d) Report writing is a crucial stage in the © The report should be Tite Pete d stats d J Provide descriptions of the evidence Cee as that was acquired during the ee cee oc aa Da) Incident Summary Ea tas Tie ee eS Cee ae orci Cee uate) Pee eee Uke eas Beaute tee oy responsibilities during the investigation, ete) aerate C/HFI Ln eee ee cae tee elWriting the Investigation Report Provide a detailed description of what evidence was analyzed and the analysis ‘methods that were used and also explain the findings of the analysis © _Ust the procedures that were followed during the investigation and any analysis techniques that were used Include proot of your findings, such 2s utility reports and log entries feelers © Summarize the outcome of the investigation © Gite specific evidence to prove the conclusion © The conclusion should be clear and unambiguous ST aera © Include any background information referred to throughout the report, such as network diagrams, documents that describe the computer investigation procedures used, and overviews of technologies that are involved in the investigation ©. Itis Important that supporting documents provide enough information for the report reader to understand the incident as completely as possible Crk Been ae)Sample Report (1 of 7)Sample Report (2 of 7) Seeded Dee eee)Sample Report (3 of 7)Sample Report (4 of 7) ¥ Contactwith the comoutar company revealad the counterfeit checks found on the ‘Suspoct’s computer hed boon accoptad for the purchaso of computers, and that the ‘computers were shipped 1 hin anc were the subjactor an ongoing mnvesugation Model numbere and eeria numbers provided by the computer company matehod ‘soveral of the Hotmal® and Yahoo classified ads found on the suspect's computer. 1 Several of the counterfsit checks found on the suspect's computer were already the subject of ongoing investigations, ¥ Information recovered conceming other vehicles led to the recovery of add tional stolen vehicles, The spacific information sought in the sarch warrant conceming the sala of the stolen, motorcycle andthe counterfait decuments was recovered from the suspact’s computer Conclusion The suspect eventually plead guilty end is now incarcerated, Cael eae eta)ae Cee!Sample (6 of 7) C9) Caoae cane ee ae)Sample Report (7 of 7) a re i cn nl countered ot aeks payante toa corer company eng ‘frm S25 do to $40 000 fo the aurchae ct neteboot compute. Met phic ‘Smputr copay cencerrng th putnasy of retebock carpus ‘of completin and scanned mages of US. curercy. ° 65. Twopseeverd protected a ence fies a WlorPefet®doeurentcontaing sf ef pasonslinforatien en seein ‘lal indung nares, sooraes, datos of brine ond and bank scout Iumbers snd waaraton cts, chcing acu nmaton, Hobe rr {ion Pazerorsinomorereeets rmoureyee, Passieed HELLO, crostad ove compact dicoraning copes ofthe abowe-descied ls, which wiloe ‘granedin the CFLcaso Wo. 3 copy of he eampact st waslabobd ar proc to fiesta 1900 hours: The frei tairaion wae completes Card Dee eee Mea)Computer Forensics Investigation > Be Evaluate and eae Collect the Evidence Obtain Search Warrant Analyze the Data a og Prepare the Final Report cua Cee acetates)Expert Witness An expert witness is a person who has a thorough knowledge of a subject and @ whose credentials can convince others to believe his or her opinions on that subject in a court of law 2 2 2 Role of an 2 @ Role of an Expert Witnessin @ Expert Witness Bringing Evidence to Court © Assist the court in understanding intricate evidence © Aid the attorney to get to the ‘truth S Truthfully, objectively and fully express his or her expert opinion, without regard to any views or influence eo 2@ Q [Z) Cadac ee ee aesTestifying in the Court Room © Presenting digital evidence in the court requires knowledge of new, specialized, evolving, and sometimes complex technology Familiarize with the usual procedures that are followed during a trial The attorney introduces the expert witness with high Later, its followed by the cross examination with the & regards Things that ‘opposing counsel Dee take place . in the court The opposing counsel may try to discredit the expert witness The attorney would lead the ‘expert witness through the evidence ae eee cane ted MareeClosing the Case The investigator should include what was done and oma) results in the final report The investigator should provide explanation for various processes and the various interrelated a components Basic report includes: who, what, when, where, and The report should explain the computer and network processes and inner working of the system Ina good computing investigation, the steps can be repeated and the results obtained are same every time Cala eae ae ea)Maintaining Professional Conduct ~O_ Consider all the available facts that account to the crime scene Ignore external biases to maintain the integrity of the fact- i Deas ae eee an eee eee Rear id hardware and software, networking, and forensic tools Ears Dr CRU Coca aad xed Dees cE oa Lg eer Lid © Enriched technical knowledge Se ee ae Td HFI @ae Creel Cee eae)Investigating a Company Employees using company’s, resources for personal use not only waste company’s time and resources but they also violate the company’s policy While investigating, the business must continue with minimal interruption Misusing resources includes: Trace such employees and educate them about the company's policy, and if the problem persists, perform Using company computers, - suitable action for personal tasks Surfing the Internet Sending personal emails Employees misusing resources ce can cost companies millions of dollars ® ghia) . ° ere Cee eee isComputer Forensics Service Providers (Cont’d) Paar CENTER for COMPUTERFORENSICS FORENSIC SERVICES, aLucsanoes RRA AT ANOW ss ORES BY Center for Computer Forensics PenrodEllis Forensic Data Discovery (hetp://arwwe computer forensics net) (http://www. penrodelisfdd.com) Celene Oe en eesComputer Forensics Service Providers eepi//www.evesigate.com epi eyberevidence.com Computer Forensics Services ForenSec ttp://www.compforensics.com -http://wuew.forensec.com Burgess Forensics Lab Systems tp //wor burgessforenses.com beep ferme lbaytemscoin (QQ) computer Legal Experts \ AccessData httz://uww.ontonet.com TR ietp:s/accessdata.com | Global Digital Forensics CyberEvidence | See!Module Summary Q Collect evidence that can be presented in the court of law or at a corporate inquiry Maintain a “chain of custody" for each piece of original media, indicating where the media has been, whose possession it has been in, and the reason for that possession Q_ Obtain proper written authorization from an authorized decision maker to conduct the computer investigation 2 The first person at the scene of the incidence should collect and preserve as much evidence as possible Cal uc)Copyright 2004 ty Randy Glasbergen wnwiglasbergencom “How could somebody steal my identity when I still haven't figured out who Tam?” ett ent sears!“Access requires « passmord, retina sean, fingerprint analysis and a DNA sample. 1's the best refrigerator P've ever owned” Cece CO hee cade da