CSF3403

Digital Forensic and Investigation

Chapter 1: Understanding The Digital Forensics Profession and Investigations (CLO1)- Week3
1
Credits and Revision Control

• Change description: Existing material is revised and updated; lab activities

are updated; new lab activities created
• Change level: Major

Version Author Effective Date Change Description DRC No

1.0 Unknown NA Define the first version 001
1.1 Dr. Nabih Abdelmajid Fall (Aug 2022) Create a new version 002

2
Objectives

Upon completing this chapter, students will be able to:

• Describe how to prepare a digital forensics
investigation by taking a systematic approach
• Describe procedures for private-sector digital
investigations
• Explain requirements for data recovery workstations
and software
• Summarize how to conduct an investigation,
including critiquing a case

3
Preparing a Digital Forensics Investigation

The role of digital forensics professional is:

• to gather evidence.
• to conduct the investigation by processing digital evidence
• Preserve the evidence on a different computer
• to prove that a suspect committed a crime or violated a company policy
• the investigator must then summarize the findings in a report, and when
required, present the findings (to the prosecutor; in a court; to a
company executive; etc.)
4
Preparing a Digital Forensics Investigation

Chain of custody
• Route the evidence takes from the time you find it until the case is closed or goes
to court

you don’t know (or cannot establish) who took a

suspect hard disk from the crime scene to the lab?
• The chain is broken
• Maybe changes were made to the disk
• The integrity of the evidence is compromised

5
An Overview of a Computer Crime

• Computers can contain information that helps law enforcement

determine:
• Chain of events leading to a crime
• Evidence that can lead to a conviction

computer information may

provide additional information
to solve the crime

6
An Overview of a Computer Crime

• Law enforcement officers should follow proper procedure when acquiring

the evidence
• Digital evidence can be easily altered by an overeager investigator
• information on hard disks might be password protected so forensics tools
may be need to be used in your investigation

7
An Overview of a Company Policy Violation

when employees misuse company resources, i.e.,

not following company policies, it can cost
companies millions of dollars. Misuse includes:
• Surfing the Internet
• Sending personal e-mails
• Using company computers for personal tasks during work
hours

8
Taking a Systematic Approach

Steps for problem solving:

• Make an initial assessment about the type of case you are investigating
• Determine a preliminary design or approach to the case
• Create a detailed checklist
• Determine the resources you need
• Obtain and copy an evidence drive
• Identify the risks
• Mitigate or minimize the risks
The amount of time and
• Test the design effort for each step varies
• Analyze and recover the digital evidence depending on the case you
investigate.
• Investigate the data you recover
• Complete the case report
• Critique the case
9
Assessing the Case

Systematically outline the case details:

• Situation
• Nature of the case
• Specifics of the case
• Type of evidence
• Known disk format
• Location of evidence

Based on these details, you can

determine the case requirements

10
Planning Your Investigation (1 of 4)

A basic investigation plan should include the following

activities:
• Acquire the evidence
• Complete an evidence form and establish a chain of custody
• Transport the evidence to a computer forensics lab
• Secure evidence in an approved secure container
• Prepare your forensics workstation
• Retrieve the evidence from the secure container
• Make a forensic copy of the evidence
• Return the evidence to the secure container
• Process the copied evidence with computer forensics tools

11
Planning Your Investigation (2 of 4)

• An evidence custody form helps you document what has been done
with the original evidence and its forensics copies
• Also called a chain-of-evidence form

• Two types
• Single-evidence form
• Lists each piece of evidence on a separate page
• Multi-evidence form a broken chain of custody
can throw out your case.
Therefore, documenting
evidence is very important
during a forensics analysis.

12
Planning Your Investigation (3 of 4)

About this form:

• Good for 10 items max

• Name of investigator who

recovered the evidence

• Specify the locker used

• Which investigator
retrieved the evidence
from the locker to process
it?
• What have you done with
the evidence?

13
Planning Your Investigation (4 of 4)

• More flexibility in tracking

separate pieces of evidence for
your chain-of-custody log.

• More space for descriptions to

help finalizing the investigation
and creating a case report.

• You can accurately account for

• what was done to the evidence
and what was found.

• Can be used as a reference for

all actions taken during your
investigative analysis.

14
Securing Your Evidence (1 of 2)

• Use evidence bags to secure and catalog

the evidence
• Use computer safe products when
collecting computer evidence
• Antistatic bags
• Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
• CD drive bays
• Insertion slots for power supply electrical cords
and USB cables
15
Securing Your Evidence (2 of 2)

• Write your initials on tape to prove that

evidence has not been tampered with
• Consider computer specific temperature and
humidity ranges
• Make sure you have a safe environment for
transporting and storing it until a secure evidence
container is available

16
Procedures for Private-Sector High-Tech Investigations

Develop formal procedures and informal checklists to cover all

issues important to high-tech investigations, Such as:

• Employee Termination Cases

• Internet abuse Cases
• Email abuse Cases
• Attorney-Client Privilege Investigations
• Industrial espionage Cases

17
Employee Termination Cases

• The majority of investigative work for termination cases

involves employee abuse of corporate assets

• Incidents that create a hostile work environment are the

predominant types of cases investigated
• Viewing pornography in the workplace
• Sending inappropriate e-mails

• Organizations must have appropriate policies in place

18
Internet Abuse Investigations (1 of 3)

To conduct an investigation you need to prepare the following:

• Organization’s Internet proxy server logs

• Suspect computer’s IP address
• Suspect computer’s disk drive
• Your preferred computer forensics analysis tool

19
Internet Abuse Investigations (2 of 3)

The following steps outline the recommended

processing of an Internet abuse case:

1. Use the standard forensic analysis techniques and procedures

2. Using tools for Internet keyword search option to extract all Web page URL
information
3. Contact the network firewall administrator and request a proxy server log.

20
Internet Abuse Investigations (3 of 3)

4. Compare the data recovered from forensic analysis to the proxy server log
data to confirm that they match.
a) If the URL data matches the proxy server log and the forensic disk examination; continue
analyzing the suspect computer’s drive data, and collect any relevant downloaded
inappropriate pictures or Web pages that support the allegation.
b) If there are no matches between the proxy server logs, and the forensic
examination shows no contributing evidence, report that the allegation is
unsubstantiated.
5. Continue analyzing the computer’s disk drive data

21
E-mail Abuse Investigations (1 of 2)

To conduct an investigation you need to prepare the following:

• An electronic copy of the offending e-mail that

contains message header data
• If available, e-mail server log records
• For e-mail systems that store users’ messages on a
central server, access to the server
• Access to the computer so that you can perform a
forensic analysis on it
• Your preferred computer forensics analysis tool

22
E-mail Abuse Investigations (2 of 2)

The following steps outline the recommended

processing of an E-mail abuse case:

• For computer-based e-mail data files: use the standard forensic analysis
techniques and procedures
• For server-based e-mail data files: contact the e-mail server administrator and
obtain an electronic copy of the suspect and victim’s e-mail folder or data.
• For Web-based e-mail investigations: such as Hotmail or Gmail, use tools such as
Forensic Toolkit’s Internet keyword search option to extract all related e-mail
address information.
• Examine header data of all messages of interest to the investigation.
23
Media leak investigations (1 of 4)

• Disgruntled employees, for example, might send an

organization’s sensitive data to a news reporter.
• Other reasons, employees’ efforts to embarrass
management to a rival conducting a power struggle
between other internal organizations.
• Another concern is the premature release of
information about new products, which can disrupt
operations and cause market share loss for a business if
the information is made public too soon.

24
Media leak investigations (2 of 4)

To conduct an investigation you need to consider the following:

• Examine e-mail
• Examine Internet message boards
• Examine proxy server logs
• Examine known suspects’ workstations
• Examine all company telephone records

25
E-mail Abuse Investigations (3 of 4)

The following steps outline the recommended

processing of an Media Leaks:

1. Interview management privately to get a list of employees who have direct

knowledge of the sensitive data.
2. 2. Identify the media source that published the information.
3. 3. Review company phone records to see who might have had contact with the
news service.
4. 4. Obtain a list of keywords related to the media leak.
5. 5. Perform keyword searches on proxy and e-mail servers.
26
E-mail Abuse Investigations (4 of 4)

6. Discreetly conduct forensic disk acquisitions and analysis of employees of

interest.
7. From the forensic disk examinations, analyze all e-mail correspondence and
trace any sensitive messages to other people who haven't been listed as having
direct knowl edge of the sensitive data.
8. Expand the discreet forensic disk acquisition and analysis for any new persons of
interest.
9. Consolidate and review your findings periodically to see whether new clues can
be discovered.
10. Report findings to management routinely, and discuss how much further to
continue
27
Industrial Espionage Investigations (1 of 5)

All suspected industrial espionage cases should be treated as

criminal investigations

Staff needed:
• Digital investigator who is responsible for disk
forensic examinations
• Technology specialist who is knowledgeable of
the suspected compromised technical data
• Network specialist who can perform log
analysis and set up network sniffers
• Threat assessment specialist (typically an
attorney)

28
Industrial Espionage Investigations (2 of 5)

Guidelines when initiating an investigation:

• Determine whether this investigation involves a possible
industrial espionage incident
• Consult with corporate attorneys and upper
management
• Determine what information is needed to substantiate
the allegation
• Generate a list of keywords for disk forensics and sniffer
monitoring
• List and collect resources for the investigation
• Determine goal and scope of the investigation
• Initiate investigation after approval from management
29
E-mail Abuse Investigations (2 of 2)

The following steps outline the recommended

processing of an Industrial Espionage case :

1. Gather all personnel assigned to the investigation and brief them on the plan and
any concerns.
2. Gather the resources needed to conduct the investigation.
3. Start the investigation by placing surveillance systems, such as cameras and
network monitors, at key locations.

30
E-mail Abuse Investigations (2 of 2)

4. Discreetly gather any additional evidence, such as the suspect's computer drive,
and make a bit-stream image for follow-up examination.
5. Collect all log data from networks and e-mail servers, and examine them for
unique items that might relate to the investigation.
6. Report regularly to management and corporate attorneys on your investigation's
status and current findings.
7. Review the investigation's scope with management and corporate attorneys to
deter mine whether it needs to be expanded and more resources added

31
Interviews and Interrogations in High-Tech Investigations (1 of 2)

• Interview
• Usually conducted to collect information from a
witness or suspect

• Interrogation
• Process of trying to get a suspect to confess

Becoming a skilled interviewer

and interrogator can take many
years of experience
32
Interviews and Interrogations in High-Tech Investigations (1 of 2)

Role as a digital investigator for the interview is:

• to instruct the investigator conducting the interview on what questions to ask
And what the answers should be

Ingredients for a successful interview or interrogation:

• Being patient throughout the session
• Repeating or rephrasing questions to zero in on specific facts from a reluctant
witness or suspect
• Being tenacious

33
Additional Recourses

• Helix Live CD:

• www.e-fense.com/helix/index.php
• International Association of Computer Investigative Specialists
(IACIS):
• www.iacis.org/
• High-Tech Crime Network (HTCN):
• www.htcn.org/
• Forensic discovery auditing of digital evidence containers:
• http://
www.sciencedirect.com/science/article/pii/S1742287607000291
34
• Always plan a case taking into account the nature of the case, case requirements,
and gathering evidence techniques
• Both criminal cases and corporate-policy violations can go to court
• Plan for contingencies for any problems you might encounter
• Keep track of the chain of custody of your evidence
• Internet abuse investigations require examining server log data
• For attorney-client privilege cases, all written communication should remain
confidential
• A bit-stream copy is a bit-by-bit duplicate of the original disk
• Always maintain a journal to keep notes on exactly what you did
• You should always critique your own work
35