wli35@nyit.

edu

INCS-712: Computer Forensics

Cyber Forensics, Crime Scene Analysis

 2

Our Teaching Assistant

• Sneha Mutta Bhogesh

• [email protected]

• Office Hour: by Email appointments

• Assignments, Projects and Answer questions.

Cyber Forensics, Crime Scenes Analysis

Part One: Crime Scenes Analysis

 4

Cyber Forensics
• The scientific examination and analysis of digital
evidence in such a way that the information can
be used as evidence in a court of law.
• Includes:
• Networks (Network Forensics)
• Small Scale Digital Devices
• Storage Media (Computer forensics)
• Code Analysis

4
 5

Cyber Forensic Activities

• Cyber forensics activities commonly include:
• the secure collection of computer data
• the identification of suspect data
• the examination of suspect data to determine details such
as origin and content
• the presentation of computer-based information to courts
of law
• the application of a country's laws to computer practice.

5
 6

The 3 As
The basic methodology consists of the 3 As:
– Acquire the evidence without altering or damaging the original
– Authenticate the image
– Analyze the data without modifying it

6
 7

Crime Scenes
• Physical Crime Scenes vs. Cyber/Digital Crime
Scenes
• Overlapping principals
• The basics of criminalistics are constant across
both physical and cyber/digital
• Locard’s Principle applies
• “When a person commits a crime something is always left at the
scene of the crime that was not present when the person arrived”

7
 8

Digital Crime Scene

• Digital Evidence
• Digital data that establish that a crime has been committed,
can provide a link between a crime and its victim, or can
provide a link between a crime and the perpetrator (Carrier
& Spafford, 2003)
• Digital Crime Scene
• The electronic environment where digital evidence can
potentially exist (Rogers, 2005)
• Primary & Secondary Digital Scene(s) as well

8
 9

Forensic Principles
• Digital/ Electronic evidence is extremely volatile!
• Once the evidence is contaminated it cannot be
de-contaminated!
• The courts acceptance is based on the best
evidence principle
• With computer data, printouts or other output readable
by sight, and bit stream copies adhere to this principle.
• Chain of Custody is crucial

9
 10

Cyber Forensic Principles

• The 6 Principles are:
1. When dealing with digital evidence, all of the general forensic and
procedural principles must be applied.
2. Upon seizing digital evidence, actions taken should not change that
evidence.
3. When it is necessary for a person to access original digital evidence,
that person should be trained for the purpose.
4. All activity relating to the seizure, access, storage or transfer of digital
evidence must be fully documented, preserved and available for
review.
5. An Individual is responsible for all actions taken with respect to
digital evidence whilst the digital evidence is in their possession.
6. Any agency, which is responsible for seizing, accessing, storing or
transferring digital evidence is responsible for compliance with these
principles.

10
 11

Process/Phases

• Identification
• Collection
• Bag & Tag
• Preservation
• Examination
• Analysis
• Presentation/Report

11
 12

Identification
• The first step is identifying evidence and
potential containers of evidence
• More difficult than it sounds
▫ Small scale devices
▫ Non-traditional storage media
▫ Multiple possible crime scenes

12
 13

Identification
• Context of the investigation is very
important
• Do not operate in a vacuum!
• Do not overlook non-electronic
sources of evidence
▫ Manuals, papers, printouts, etc.

13
 14

Collection
• Care must be taken to minimize
contamination
• Collect or seize the system(s)
• Create forensic image
▫ Live or Static?
▫ Do you own the system
▫ What does your policy say?

14
 15

Collection: Documentation

15
 16

Collection: Documentation

• Take detailed photos and notes of the computer / monitor

▫ If the computer is “on”, take photos of what is displayed on the monitor –
DO NOT ALTER THE SCENE

16
 17

Collection: Documentation
Make sure to take photos and notes of all
connections to the computer/other devices

17
 18

Collection: Imaging
• Rule of Thumb: make 2 copies and don’t work from
the original (if possible)
• A file copy does not recover all data areas of the
device for examination
• Working from a duplicate image
▫ Preserves the original evidence
▫ Prevents inadvertent alteration of original evidence
during examination
▫ Allows recreation of the duplicate image if necessary

18
 19

Collection: Imaging
•Digital evidence can be duplicated with no
degradation from copy to copy
▫ This is not the case with most other forms of
evidence

19
 20

Collection: Imaging
• Write blockers
▫ Software
▫ Hardware
• Hardware write blockers are becoming the industry
standard
▫ USB, SATA, IDE, SCSI, SIM, Memory Cards
▫ Not BIOS dependent
▫ But still verify prior to usage!

20
 21

Collection: Imaging
• Forensic Copies (Bitstream)
▫ Bit for Bit copying captures all the data on the copied
media including hidden and residual data (e.g., slack
space, swap, residue, unused space, deleted files etc.)
• Often the “smoking gun” is found in the residual data.
• Imaging from a disk (drive) to a file is becoming the
norm
▫ Multiple cases stored on same media
▫ No risk of data leakage from underlying media
• Remember avoid working for original
• Use a write blocker even when examining a copy!

21
 22

Imaging: Authenticity & Integrity

•How do we demonstrate that the image is a true unaltered copy of the original?
-Hashing (MD5, SHA 256)
•A mathematical algorithm that produces a unique value (128 Bit, 512 Bit)
▫ Can be performed on various types of data (files, partitions, physical drive)
•The value can be used to demonstrate the integrity of your data
▫ Changes made to data will result in a different value
•The same process can be used to demonstrate the image has not changed from
time-1 to time-n

22
 23

Examination
• Higher level look at the file system representation of the
data on the media
• Verify integrity of image
▫ MD5, SHA1 etc.
• Recover deleted files & folders
• Determine keyword list
▫ What are you searching for
• Determine time lines
▫ What is the timezone setting of the suspect system
▫ What time frame is of importance
▫ Graphical representation is very useful

23
 24

Examination
• Examine directory tree • Search for relevant evidence
 What looks out of place types
 Stego tools installed ▫ Hash sets can be useful
 Evidence Scrubbers ▫ Graphics
• Perform keyword ▫ Spreadsheets
searches ▫ Hacking tools
 Indexed ▫ Etc.
 Slack & unallocated space
• Look for the obvious first
• When is enough enough??

24
 25

Issues
• lack of certification for tools
• Lack of standards
• lack of certification for professionals
• lack of understanding by Judiciary
• lack of curriculum accreditation
• Rapid changes in technology!
• Immature Scientific Discipline

25
Cyber Forensics, Crime Scene Analysis

Part Two: Digital Investigation Process

 27

Preparing for Digital Investigations

• Digital investigations
fall into two
categories:
▫ Public-sector
investigations
▫ Private-sector
investigations
 28

Preparing for Digital Investigations

• Public-sector investigations involve government agencies
responsible for criminal investigations and prosecution
• Fourth Amendment to the U.S. Constitution
▫ Restrict government search and seizure
• The Department of Justice (DOJ) updates information on computer
search and seizure regularly
• Private-sector investigations focus more on policy violations
 29

Understanding Law Enforcement Agency Investigations

• When conducting public-sector investigations, you must
understand laws on computer-related crimes including:
▫ Standard legal processes
▫ Guidelines on search and seizure
▫ How to build a criminal case
• The Computer Fraud and Abuse Act was passed in 1986
▫ Specific state laws were generally developed later
 30

Following Legal Processes

• A criminal investigation usually begins when someone
finds evidence of or witnesses a crime
▫ Witness or victim makes an allegation to the police
• Police interview the complainant and writes a report
about the crime
• Report is processed and management decides to start an
investigation or log the information in a police blotter
▫ Blotter is a historical database of previous crimes
 31

Following Legal Processes

• Digital Evidence First Responder (DEFR)
▫ Arrives on an incident scene, assesses the situation, and takes
precautions to acquire and preserve evidence
• Digital Evidence Specialist (DES)
▫ Has the skill to analyze the data and determine when another
specialist should be called in to assist
• Affidavit - a sworn statement of support of facts about or evidence
of a crime
▫ Must include exhibits that support the allegation
 32

Understanding Private-Sector Investigations

• Private-sector investigations involve private companies and lawyers
who address company policy violations and litigation disputes
▫ Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
▫ E-mail harassment, falsification of data, gender and age discrimination,
embezzlement, sabotage, and industrial espionage
 33

Understanding Private-Sector Investigations

• Businesses can reduce the risk of litigation by publishing and
maintaining policies that employees find easy to read and follow
• Most important policies define rules for using the company’s
computers and networks
▫ Known as an “Acceptable use policy”
• Line of authority - states who has the legal right to initiate an
investigation, who can take possession of evidence, and who can
have access to evidence
 34

Understanding Private-Sector Investigations

• Business can avoid litigation by displaying a warning
banner on computer screens
▫ Informs end users that the organization reserves the right to
inspect computer systems and network traffic at will
 35

Understanding Private-Sector Investigations

• Sample text that can be used in internal warning banners:
▫ Use of this system and network is for official business only
▫ Systems and networks are subject to monitoring at any time by
the owner
▫ Using this system implies consent to monitoring by the owner
▫ Unauthorized or illegal users of this system or network will be
subject to discipline or prosecution
 36

Understanding Private-Sector Investigations

• Businesses are advised to specify an authorized requester who
has the power to initiate investigations
• Examples of groups with authority
▫ Corporate security investigations
▫ Corporate ethics office
▫ Corporate equal employment opportunity office
▫ Internal auditing
▫ The general counsel or legal department
 37

Understanding Private-Sector Investigations

• During private investigations, you search for evidence to support
allegations of violations of a company’s rules or an attack on its assets
• Three types of situations are common:
▫ Abuse or misuse of computing assets
▫ E-mail abuse
▫ Internet abuse
• A private-sector investigator’s job is to minimize risk to the company
 38

Understanding Private-Sector Investigations

• The distinction between personal and company computer property
can be difficult with cell phones, smartphones, personal notebooks,
and tablet computers
• Bring your own device (BYOD) environment
▫ Some companies state that if you connect a personal device to the
business network, it falls under the same rules as company property
 39

Maintaining Professional Conduct

• Professional conduct - includes ethics, morals, and standards of
behavior
• An investigator must exhibit the highest level of professional
behavior at all times
▫ Maintain objectivity
▫ Maintain credibility by maintaining confidentiality
• Investigators should also attend training to stay current with the
latest technical changes in computer hardware and software,
networking, and forensic tools
 40

Preparing a Digital Forensics Investigation

• The role of digital forensics professional is to gather evidence to
prove that a suspect committed a crime or violated a company policy
• Collect evidence that can be offered in court or at a corporate
inquiry
▫ Investigate the suspect’s computer
▫ Preserve the evidence on a different computer
• Chain of custody
▫ Route the evidence takes from the time you find it until the case is
closed or goes to court
 41

Important Factors
• Legal procedures
▫ Not compromising evidence
• Treat every piece of evidence as it will be used in court
• Documentation
• Chain of Custody
▫ https://study.com/academy/lesson/what-is-the-chain-of-custody-definition-procedures-importance.html

• Write Blocks
• Imaging
▫ Bit by bit copy of a piece of electronic media (Hard drive)
 42

What Should be Avoided During an Investigation?

• Changing data
▫ Changing time or date stamps
▫ Changing files
• Overwriting unallocated disk space
▫ This can happen when re-booting
• Verify Hash values from images
 43

Computer Forensic Tools

• Parse through the created image
▫ Built in system parser
• Rebuilds both active and deleted files
• Open source
• Commercial sources

A parser is a compiler or interpreter component

that breaks data into smaller elements for easy
translation into another language.
 44

Common Computer Forensic Software

• ArcSight Logger
• Netwitness Investigator
• Quest Change Auditor
• Cellebrite
• Physical Analyzer
• Lantern
• Access Data’s Forensic Toolkit (FTK)
• EnCase Cybersecurity
• EnCase eDiscovery
• EnCase Portable
• EnCase Forensic*
 45

EnCase Forensic
• Acquisition
• Reporting
• EnScript :
▫ Scripting facility
▫ Various API's for interacting with evidence
• Collect, Analyze and examine data
▫ Deleted files
▫ Unallocated space
▫ File slack
• Duplicates of original data (Imaging)
▫ Accuracy can be verified by hash and Cyclic Redundancy Check values
 46

EnCase Forensic

• Many operating systems

▫ Windows
▫ Linux
▫ Apple iOS
▫ Sun/Oracle Solaris
• Supported smartphones
• Recommended to run on Window 7 (64 bit) operating system
 47

EnCase Forensic
 48

File Signatures
 49

EnCase Gallery
 50

EnCase Document View