Cyber Forensics

Unit – 1
Computer Forensics

Prof. Ashwini Solegaonkar

Department of Information Technology and Computer Science
D. G. Ruparel College of Arts, Science and Commerce, Mumbai-16
 Preparing a Computer Investigation
• Your role as a computer forensics professional is to gather evidence from a
suspect’s computer and determine whether the suspect committed a crime or
violated a company policy.

• If the evidence suggests that a crime or policy violation has been committed, you
begin to prepare a case, which is a collection of evidence you can offer in court or
at a corporate inquiry.
Computer Forensics

• This process involves investigating the suspect’s computer and then preserving
the evidence on a different computer.

• Before you begin investigating, however, you must follow an accepted procedure
to prepare a case. By approaching each case methodically, you can evaluate the
evidence thoroughly and document the chain of evidence, or chain of custody,
which is the route the evidence takes from the time you find it until the case is
closed or goes to court.

[email protected]
 An Overview of a Computer Crime
• Law enforcement officers often find computers and computer components as
they’re investigating crimes, gathering other evidence, or making arrests.

• Computers can contain information that helps law enforcement officers

determine the chain of events leading to a crime or information providing
evidence that’s more likely to lead to a conviction.

• As an example of a case in which computers were involved in a crime, the police

Computer Forensics

raided a suspected drug dealer’s home and found a computer, several floppy
disks and USB drives (also called keychain drives or memory sticks), a personal
digital assistant (PDA), and a cell phone in a bedroom. The computer was “bagged
and tagged,” meaning it was placed in evidence bags along with the storage
media and then labeled with tags as part of the search and seizure.

[email protected]
 An Overview of a Company Policy Violation
• Companies often establish policies for employee use of computers. Employees
surfing the Internet, sending personal e-mail, or using company computers for
personal tasks during work hours can waste company time.

• Because lost time can cost companies millions of dollars, computer forensics
specialists are often used to investigate policy violations. The following example
describes a company policy violation.
Computer Forensics

[email protected]
 Taking a Systematic Approach
• Make an initial assessment about the type of case you’re investigating

• Determine a preliminary design or approach to the case

• Create a detailed checklist

• Determine the resources you need

Computer Forensics

• Obtain and copy an evidence drive

• Identify the risks

• Mitigate or minimize the risks

• Test the design

• Analyze and recover the digital evidence

[email protected]
 Taking a Systematic Approach
• Investigate the data you recover

• Complete the case report

• Critique the case

Computer Forensics

[email protected]
 Assessing the Case
• You can begin assessing this case as follows:

• Situation—Employee abuse case.

• Nature of the case—Side business conducted on the employer’s computer.

• Specifics of the case—The employee is reportedly conducting a side business

on his employer’s computer that involves registering domain names for
Computer Forensics

clients and setting up their Web sites at local ISPs. Co-workers have
complained that he’s been spending too much time on his own business and
not performing his assigned work duties. Company policy states that all
company-owned computing assets are subject to inspection by company
management at any time. Employees have no expectation of privacy when
operating company computer systems.

• Type of evidence—Small-capacity USB drive, Desktop.

[email protected]
 Assessing the Case
• Operating system—Microsoft Windows XP.

• Known disk format—FAT16.

• Location of evidence—One USB drive recovered from the employee’s

assigned computer.
Computer Forensics

Based on these details, you can determine the case requirements. You now know
that the nature of the case involves employee abuse of company assets, and you’re
looking for evidence that an employee was conducting a side business using his
employer’s computers. On the USB drive retrieved from George’s computer, you’re
looking for any information related to Web sites, ISPs, or domain names. You know
that the computer OS is Windows XP, and the USB drive uses the FAT16 file system.
To duplicate the USB drive and find deleted and hidden files, you need a reliable
computer forensics tool. Because the USB drive has already been retrieved, you
don’t need to seize the drive yourself.

[email protected]
 Assessing the Case
• You call this case the Domain Name case and determine that your task is to
gather data from the storage media seized to confirm or deny the allegation
that George is conducting a side business on company time and computers.
Remember that he’s suspected only of asset abuse, and the evidence you
obtain might be exculpatory—meaning it could prove his innocence. You
must always maintain an unbiased perspective and be objective in your fact-
findings. If you are systematic and thorough, you’re more likely to produce
Computer Forensics

consistently reliable results.

[email protected]
 Planning Your Investigation
• Now that you have identified the requirements of the Domain Name case, you
can plan your investigation. You have already determined the kind of evidence
you need; now you can identify the specific steps to gather the evidence,
establish a chain of custody, and perform the forensic analysis. These steps
become the basic plan for your investigation and indicate what you should do and
when. To investigate the Domain Name case, you should perform the following
general steps. Most of these steps are explained in more detail in the following
sections.
Computer Forensics

1. Acquire the USB drive from George’s manager.

2. Complete an evidence form and establish a chain of custody.
3. Transport the evidence to your computer forensics lab.
4. Place the evidence in an approved secure container.
5. Prepare your forensic workstation.
6. Retrieve the evidence from the secure container.
7. Make a forensic copy of the evidence drive (in this case, the USB drive).
8. Return the evidence drive to the secure container.
9. Process the copied evidence drive with your computer forensics tools

[email protected]
 Planning Your Investigation
• The first rule for all investigations is to preserve the evidence, which means it
should not be tampered with or contaminated. Because the IT Department staff
confiscated the storage media, you need to go to them for the evidence. The IT
Department manager confirms that the storage media has been locked in a
secure cabinet since it was retrieved from George’s desk. Keep in mind that even
though this case is a corporate policy matter, many cases are thrown out because
the chain of custody can’t be proved or has been broken. When this happens,
there’s the possibility that the evidence has been compromised.
Computer Forensics

• To document the evidence, you record details about the media, including who
recovered the evidence and when and who possessed it and when. Use an
evidence custody form, also called a chain-of-evidence form, which helps you
document what has and has not been done with the original evidence and
forensic copies of the evidence.
• Depending on whether you’re working in law enforcement or private corporate
security, you can create an evidence custody form to fit your environment. This
form should be easy to read and use. It can contain information for one or several
pieces of evidence. Consider creating a single-evidence form (which lists each
piece of evidence on a separate page) and a multi evidence form, depending on
the administrative needs of your investigation.

[email protected]
Computer Forensics
Assessing the Case

[email protected]
 An evidence custody form usually contains the following
information:
• Case number—The number your organization assigns when an investigation is
initiated.

• Investigating organization—The name of your organization. In large corporations

with global facilities, several organizations might be conducting investigations in
different geographic areas.

• Investigator—The name of the investigator assigned to the case. If many

Computer Forensics

investigators are assigned, specify the lead investigator’s name.

• Nature of case—A short description of the case. For example, in the corporate
environment, it might be “Data recovery for corporate litigation” or “Employee
policy violation case.”

• Location evidence was obtained—The exact location where the evidence was
collected. If you’re using multi-evidence forms, a new form should be created for
each location.

[email protected]
 An evidence custody form usually contains the following
information:
• Description of evidence—A list of the evidence items, such as “hard drive, 20 GB”
or “one USB drive, 128 MB.” On a multi-evidence form, write a description for
each item of evidence you acquire.

• Vendor name—The name of the manufacturer of the computer evidence. List a

20 GB hard drive, for example, as a Maxtor 20 GB hard drive, or describe a USB
drive as an Attache 1 GB PNY Technologies drive. In later chapters, you see how
differences among manufacturers can affect data recovery.
Computer Forensics

• Model number or serial number—List the model number or serial number (if
available) of the computer component. Many computer components, including
hard drives, memory chips, and expansion slot cards, have model numbers but
not serial numbers.

• Evidence recovered by—The name of the investigator who recovered the

evidence. The chain of custody for evidence starts with this information. If you
insert your name, for example, you’re declaring that you have taken control of the
evidence. It’s now your responsibility to ensure that nothing damages the
evidence and no one tampers with it. The person placing his or her name on this
line is responsible for preserving, transporting, and securing the evidence.

[email protected]
 An evidence custody form usually contains the following
information:

• Date and time—The date and time the evidence was taken into custody. This
information establishes exactly when the chain of custody starts.

• Evidence placed in locker—Specifies which approved secure container is used to

store evidence and when the evidence was placed in the container.

• Item #/Evidence processed by/Disposition of evidence/Date/Time—When you or

Computer Forensics

another authorized investigator retrieves evidence from the evidence locker for
processing and analysis, list the item number and your name, and then describe
what was done to the evidence.

• Page—The forms used to catalogue all evidence for each location should have
page numbers. List the page number, and indicate the total number of pages for
this group of evidence. For example, if you collected 15 pieces of evidence at one
location and your form has only 10 lines, you need to fill out two multi-evidence
forms. The first form is noted as “Page 1 of 2,” and the second page is noted as
“Page 2 of 2.”

[email protected]
Computer Forensics
Assessing the Case

[email protected]
 Securing Your Evidence
• Computing investigations demand that you adjust your procedures to suit the
case. For example, if the evidence for a case includes an entire computer system
and associated storage media, such as floppy disks, Zip and Jaz cartridges, 4 mm
DDS digital audio tape (DAT), and USB drives, you must be flexible when you
account for all these items. Some evidence is small enough to fit into an evidence
bag. Other items, such as the CPU cabinet, monitor, keyboard, and printer, are
too large.
• To secure and catalogue the evidence contained in large computer components,
you can use large evidence bags, tape, tags, labels, and other products available
Computer Forensics

from police supply vendors or office supply stores. When gathering products to
secure your computer evidence, make sure they are safe and effective to use on
computer components. Be cautious when handling any computer component to
avoid damaging the component or coming into contact with static electricity,
which can destroy digital data. For this reason, make sure you use antistatic bags
when collecting computer evidence. Consider using an antistatic pad with an
attached wrist strap, too.
• Both help prevent damage to computer evidence. Be sure to place computer
evidence in a well-padded container. Padding prevents damage to the evidence
as you transport it to your secure evidence locker, evidence room, or computer
lab. Save discarded hard drive boxes, antistatic bags, and packing material for
computer hardware when you or others acquire computer devices.
[email protected]