Understanding computer

forensics

1
What is Computer Forensics?
Definition: Involves obtaining and analyzing digital
information, often as evidence in civil, criminal, or
administrative cases
Computer forensics:
• Investigates data that can be retrieved from a computer’s
hard disk or other storage media
• Task of recovering data that users have hidden or deleted
and using it as evidence
• Evidence can be inculpatory (“incriminating”) or
exculpatory

2 2
 Computer Forensics Versus Other
Related Disciplines
• Network forensics
• Yields information about how a perpetrator or an attacker
gained access to a network
• Data recovery
• Recovering information that was deleted by mistake, or lost
during a power surge or server crash
• Typically you know what you’re looking for

3 3
Computer Forensics Versus Other
Related Disciplines (continued)
• Disaster recovery
• Uses computer forensics techniques to retrieve
information their clients have lost

Investigators often work as a team to make

computers and networks secure in an organization

4 4
Digital Evidence
• Locard’s principle: “every contact leaves a trace”
• any information, stored or transmitted in digital form, that a
party to a court case may use at a trial

To be accepted in court, digital evidence must meet certain

criteria …
• Admissibility
• Authenticity

5
An Overview of Digital Forensics
• Digital forensics
• The application of computer science and investigative procedures for a legal
purpose involving the analysis of digital evidence after proper search
authority, chain of custody, validation with mathematics, use of validated
tools, repeatability, reporting, and possible expert presentation.
• In October 2012, an ISO standard for digital forensics was ratified - ISO 27037
Information technology - Security techniques

6
An Overview of Digital Forensics
• The Federal Rules of Evidence (FRE) was created to ensure
consistency in federal proceedings
• Signed into law in 1973
• Many states’ rules map to the FRE
• FBI Computer Analysis and Response Team (CART) was formed in
1984 to handle cases involving digital evidence
• By late 1990s, CART teamed up with Department of Defense
Computer Forensics Laboratory (DCFL)

7
An Overview of Digital Forensics
• The Fourth Amendment to the U.S. Constitution protects everyone’s
right to be secure from search and seizure
• Separate search warrants might not be necessary for digital evidence
• Every U.S. jurisdiction has case law related to the admissibility of
evidence recovered from computers and other digital devices

8
Digital Forensics and Other Related
Disciplines
• Investigating digital devices includes:
• Collecting data securely
• Examining suspect data to determine details such as origin and content
• Presenting digital information to courts
• Applying laws to digital device practices
• Digital forensics is different from data recovery
• Which involves retrieving information that was deleted by mistake or lost
during a power surge or server crash

9
Digital Forensics and Other Related
Disciplines
• Forensics investigators often work as part of a team, known as the
investigations triad

10
Digital Forensics and Other Related
Disciplines
• Vulnerability/threat assessment and risk
management
• Tests and verifies the integrity of stand-along workstations
and network servers
• Network intrusion detection and incident response
• Detects intruder attacks by using automated tools and
monitoring network firewall logs
• Digital investigations
• Manages investigations and conducts forensics analysis of
systems suspected of containing evidence

11
A Brief History of Digital Forensics
• By the early 1990s, the International Association of Computer
Investigative Specialists (IACIS) introduced training on software for
digital forensics
• IRS created search-warrant programs
• ASR Data created Expert Witness for Macintosh
• ILook is currently maintained by the IRS Criminal Investigation
Division
• AccessData Forensic Toolkit (FTK) is a popular commercial product

12
Understanding Case Law
• Existing laws can’t keep up with the rate of technological change
• When statutes don’t exist, case law is used
• Allows legal counsel to apply previous similar cases to current one in an effort
to address ambiguity in laws
• Examiners must be familiar with recent court rulings on search and
seizure in the electronic environment

13
Developing Computer Forensics Resources
• know more than one computing platform
• Such as DOS, Windows 9x, Linux, Macintosh, and current Windows
platforms
• Join many computer user groups - Computer Technology
Investigators Network (CTIN)
• Meets monthly to discuss problems that law enforcement and corporations face
• High Technology Crime Investigation Association (HTCIA)
• Exchanges information about techniques related to computer
investigations and security

14 14
Developing Computer Forensics Resources
(continued)
• User groups can be helpful
• Build a network of computer forensics experts and other
professionals
• And keep in touch through e-mail
• Outside experts can provide detailed information you need
to retrieve digital evidence

15 15
Background
• 85% of business and government agencies detected security breaches.
(Source:http://www.smh.com.au/icon/0105/02/news4.html.)
• FBI estimates U.S. losses at up to $10 billion a year.(Source: Sager, Ira, etc,
“Cyber Crime”, Business Week, February, 2000.)

16
Background (continued)
• In early 1990s, the threats to information systems
are at approximately 80% internal and 20%
external.
• With the integration of telecommunications and
personal computers into the internet, the threats
appear to be approaching an equal split between
internal and external agents.
• (Source: Kovacich, G. L., and W. C. Boni, 2000, High-Technology
Crime Investigatot’s Handbook, Butterworth Heinemann, p56.)

17
Background (continued)
• Counter measures for computer crime
• Computer & network security
• Effective prosecution, and prevention

18
Category of Digital Evidence
• Hardware
• Software
• Data
• Programs

19
Digital Evidence
• Definition
• Digital data that can establish that a crime has been committed or can provide
a link between a crime and its victim or a crime and its perpetrator.(source:
Casey, Eoghan, Digital Evidence and Computer Crime: Forensic Science, Computer and the
Internet,Academic Press, 2000.)
• Categories
• Text
• Audio
• Image
• Video

20
Where Evidence Resides
• Computer systems
• Logical file system
• File system
• Files, directories and folders, FAT, Clusters, Partitions, Sectors
• Random Access memory
• Physical storage media
• magnetic force microscopy can be used to recover data from overwritten area.
• Slack space
• space allocated to file but not actually used due to internal fragmentation.
• Unallocated space

21
Where Evidence Resides (continued)
• Computer networks.
• Application Layer
• Transportation Layer
• Network Layer
• Data Link Layer

22
Evidence on Application Layer
• Web pages, Online documents.
• E-Mail messages.
• News group archives.
• Archive files.
• Chat room archives.
•…

23
 Evidence on Transport and Network
Layers
Internet Service
Provider
Router
Hostmodem Firewall
Host

log files
state tables
log files log files
log files state tablesstate tables
log files
state tables
state tables 24
 Evidence on the Data-link and Physical Layers

Computer Z
Computer A

Ethernet Network Router ATM Network

MAC --> IP
MAC <-- IP
25
 Case study
• In this case, American Express (Amex) claimed that Mr.
Vinhnee had failed to pay his credit card debts, and took
legal action to recover the money. But the trial judge
determined that Amex failed to authenticate its electronic
records, and therefore Amex could not admit its own
business records into evidence. Among other problems,
the court said that Amex failed to provide adequate
information about its computer policy & system control
procedures, control of access to relevant databases &
programs, how changes to data were recorded or logged,
what backup practices were in place, and how Amex could
provide assurance of continuing integrity of their records.
• The judge pointed out that, "... the focus is not on the
circumstances of the creation of the record, but rather on
the circumstances of the preservation of the record
so as to assure that the document being proffered is the
same as the document that originally was created ...“
• http://www.proofspace.com/technology/discovery.php
26
Lessons
• Document your access control and backup
procedures and policies and test effectiveness
of your controls.
• Have the changes to your databases and
content/record management system routinely
recorded and logged.
• Protect your electronic record from post-
archival tampering with modern data integrity
and trusted time-stamping technologies.
• Document the audit procedures you use to
provide assurance of the continuing
authenticity of the records.
• http://www.proofspace.com/technology/discovery.php

27
Case Study
A user group helped convict a child molester in Pierce
County, Washington, in 1996. The suspect installed video
cameras throughout his house, served alcohol to young
women to intoxicate them, and secretly filmed them playing
strip poker. When he was accused of molesting a child,
police seized his computers and other physical evidence. The
investigator discovered that the computers used CoCo DOS,
an OS that had been out of use for years. The investigator
contacted a local user group, which supplied the standard
commands and other information needed to gain access to
the system. On the suspect’s computer, the investigator
found a diary detailing the suspect’s actions over the past 15
years, including the molestation of more than 400 young
women. As a result, the suspect received a longer sentence
than if he had been convicted of molesting only one child.

28
Preparing for Digital Investigations

• Digital investigations fall

into two categories:
• Public-sector
investigations
• Private-sector
investigations

29
Preparing for Digital Investigations
• Public-sector investigations involve government agencies responsible
for criminal investigations and prosecution
• Fourth Amendment to the U.S. Constitution
• Restrict government search and seizure
• The Department of Justice (DOJ) updates information on computer
search and seizure regularly
• Private-sector investigations focus more on policy violations

30
Understanding Law Enforcement Agency
Investigations
• When conducting public-sector investigations, you must understand
laws on computer-related crimes including:
• Standard legal processes
• Guidelines on search and seizure
• How to build a criminal case
• The Computer Fraud and Abuse Act was passed in 1986
• Specific state laws were generally developed later

31
Following Legal Processes
• A criminal investigation usually begins when someone finds evidence
of or witnesses a crime
• Witness or victim makes an allegation to the police
• Police interview the complainant and writes a report about the crime
• Report is processed and management decides to start an
investigation or log the information in a police blotter
• Blotter is a historical database of previous crimes

32
Following Legal Processes
• Digital Evidence First Responder (DEFR)
• Arrives on an incident scene, assesses the situation, and takes precautions to
acquire and preserve evidence
• Digital Evidence Specialist (DES)
• Has the skill to analyze the data and determine when another specialist
should be called in to assist
• Affidavit - a sworn statement of support of facts about or evidence of
a crime
• Must include exhibits that support the allegation
• Sample: https://www.justice.gov/archive/amerithrax/docs/08-431-m-01.pdf

33
Understanding Private-Sector Investigations
• Private-sector investigations involve private companies and lawyers
who address company policy violations and litigation disputes
• Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
• E-mail harassment, falsification of data, gender and age discrimination,
embezzlement, sabotage, and industrial espionage

34
Understanding Private-Sector Investigations
• Businesses can reduce the risk of litigation by publishing and
maintaining policies that employees find easy to read and follow
• Most important policies define rules for using the company’s
computers and networks
• Known as an “Acceptable use policy”
• Line of authority - states who has the legal right to initiate an
investigation, who can take possession of evidence, and who can have
access to evidence

35
Understanding Private-Sector Investigations
• Business can avoid litigation by displaying a warning banner on
computer screens
• Informs end users that the organization reserves the right to inspect
computer systems and network traffic at will

36
Understanding Private-Sector Investigations
• Sample text that can be used in internal warning banners:
• Use of this system and network is for official business only
• Systems and networks are subject to monitoring at any time by the owner
• Using this system implies consent to monitoring by the owner
• Unauthorized or illegal users of this system or network will be subject to
discipline or prosecution

37
Understanding Private-Sector Investigations
• Businesses are advised to specify an authorized requester who has
the power to initiate investigations
• Examples of groups with authority
• Corporate security investigations
• Corporate ethics office
• Corporate equal employment opportunity office
• Internal auditing
• The general counsel or legal department

38
Understanding Private-Sector Investigations
• During private investigations, you search for evidence to support
allegations of violations of a company’s rules or an attack on its assets
• Three types of situations are common:
• Abuse or misuse of computing assets
• E-mail abuse
• Internet abuse
• A private-sector investigator’s job is to minimize risk to the company

39
Understanding Private-Sector Investigations
• The distinction between personal and company computer property
can be difficult with cell phones, smartphones, personal notebooks,
and tablet computers
• Bring your own device (BYOD) environment
• Some companies state that if you connect a personal device to the business
network, it falls under the same rules as company property

40
Maintaining Professional Conduct
• Professional conduct - includes ethics, morals, and standards of
behavior
• An investigator must exhibit the highest level of professional behavior
at all times
• Maintain objectivity
• Maintain credibility by maintaining confidentiality
• Investigators should also attend training to stay current with the latest
technical changes in computer hardware and software, networking,
and forensic tools

41
Preparing a Digital Forensics Investigation
• The role of digital forensics professional is to gather evidence to prove
that a suspect committed a crime or violated a company policy
• Collect evidence that can be offered in court or at a corporate inquiry
• Investigate the suspect’s computer
• Preserve the evidence on a different computer
• Chain of custody
• Route the evidence takes from the time you find it until the case is closed or
goes to court

42