Introduction to Digital Investigation and

Forensics

Lecture 1

1
 Objectives

• Describe the field of digital forensics

• Explain how to prepare computer investigations and summarize the difference
between public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by taking a systematic
approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and software
• Summarize how to conduct an investigation, including critiquing a case

2
 An Overview of Digital Forensics

• Digital forensics
• The application of computer science and investigative procedures for a legal purpose
involving the analysis of digital evidence after proper search authority, chain of
custody, validation with mathematics, use of validated tools, repeatability, reporting,
and possible expert presentation.
• In October 2012, an ISO standard for digital forensics was ratified - ISO 27037
Information technology - Security techniques

3
 Digital Forensics and Other Related
Disciplines (1 of 2)
• Investigating digital devices includes:
• Collecting data securely
• Examining suspect data to determine details such as origin and content
• Presenting digital information to courts
• Applying laws to digital device practices
• Digital forensics is different from data recovery
• Which involves retrieving information that was deleted by mistake or lost during a
power surge or server crash
• Forensics investigators often work as part of a team, known as the
investigations triad

4
Digital Forensics and Other Related
Disciplines (2 of 2)

5
 Objectives

• Describe the field of digital forensics

• Explain how to prepare computer investigations and summarize the difference
between public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by taking a systematic
approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and software
• Summarize how to conduct an investigation, including critiquing a case

6
 Preparing for Digital Investigations

• Digital investigations fall into two categories:

• Public-sector investigations
• Private-sector investigations

7
 Understanding Public-Sector Investigations

• When conducting public-sector investigations, you must understand laws on

computer-related crimes including:
• Standard legal processes
• Guidelines on search and seizure
• How to build a criminal case

8
 Understanding Private-Sector Investigations

• Private-sector investigations involve private companies and lawyers who

address company policy violations and litigation disputes
• Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
• E-mail harassment, falsification of data, gender and age discrimination,
embezzlement, sabotage, and industrial espionage

9
 Objectives

• Describe the field of digital forensics

• Explain how to prepare computer investigations and summarize the difference
between public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by taking a systematic
approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and software
• Summarize how to conduct an investigation, including critiquing a case

10
 Maintaining Professional Conduct

• Professional conduct - includes ethics, morals, and standards of behavior

• An investigator must exhibit the highest level of professional behavior at all
times
• Maintain objectivity
• Maintain credibility by maintaining confidentiality
• Investigators should also attend training to stay current with the latest technical
changes in computer hardware and software, networking, and forensic tools

11
 Objectives

• Describe the field of digital forensics

• Explain how to prepare computer investigations and summarize the difference
between public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by taking a systematic
approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and software
• Summarize how to conduct an investigation, including critiquing a case

12
 Preparing a Digital Forensics Investigation

• The role of digital forensics professional is to gather evidence to prove that a

suspect committed a crime or violated a company policy
• Collect evidence that can be offered in court or at a corporate inquiry
• Investigate the suspect’s computer
• Preserve the evidence on a different computer
• Chain of custody
• Route the evidence takes from the time you find it until the case is closed or goes to
court

13
 Taking a Systematic Approach (1 of 2)

• Steps for problem solving

• Make an initial assessment about the type of case you are investigating
• Determine a preliminary design or approach to the case
• Create a detailed checklist
• Determine the resources you need
• Obtain and copy an evidence drive

14
 Taking a Systematic Approach (2 of 2)

• Steps for problem solving (cont’d)

• Identify the risks
• Mitigate or minimize the risks
• Test the design
• Analyze and recover the digital evidence
• Investigate the data you recover
• Complete the case report
• Critique the case

15
 Assessing the Case

• Systematically outline the case details

• Situation
• Nature of the case
• Specifics of the case
• Type of evidence
• Known disk format
• Location of evidence
• Based on these details, you can determine the case requirements

16
 Planning Your Investigation

• A basic investigation plan should include the following activities:

• Acquire the evidence
• Complete an evidence form and establish a chain of custody
• Transport the evidence to a computer forensics lab
• Secure evidence in an approved secure container
• Prepare your forensics workstation
• Retrieve the evidence from the secure container
• Make a forensic copy of the evidence
• Return the evidence to the secure container
• Process the copied evidence with computer forensics tools

17
 Securing Your Evidence

• Use evidence bags to secure and catalog the evidence

• Use computer safe products when collecting computer evidence
• Antistatic bags
• Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
• CD drive bays
• Insertion slots for power supply electrical cords and USB cables

18
 Objectives

• Describe the field of digital forensics

• Explain how to prepare computer investigations and summarize the difference
between public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by taking a systematic
approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and software
• Summarize how to conduct an investigation, including critiquing a case

19
 Example Procedures for Private-Sector
High-Tech Investigations
• As an investigator, you need to develop formal procedures and informal
checklists
• To cover all issues important to high-tech investigations
• Ensures that correct techniques are used in an investigation

20
 Internet Abuse Investigations

• To conduct an investigation you need:

• Organization’s Internet proxy server logs
• Suspect computer’s IP address
• Suspect computer’s disk drive
• Your preferred computer forensics analysis tool

21
 E-mail Abuse Investigations

• To conduct an investigation you need:

• An electronic copy of the offending e-mail that contains message header data
• If available, e-mail server log records
• For e-mail systems that store users’ messages on a central server, access to the server
• Access to the computer so that you can perform a forensic analysis on it
• Your preferred computer forensics analysis tool

22
 Objectives

• Describe the field of digital forensics

• Explain how to prepare computer investigations and summarize the difference
between public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by taking a systematic
approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and software
• Summarize how to conduct an investigation, including critiquing a case

23
 Understanding Data Recovery Workstations
and Software
• Investigations are conducted on a computer forensics lab (or data-recovery lab)
• In data recovery, the customer or your company just wants the data back
• Computer forensics workstation
• A specially configured PC
• Loaded with additional bays and forensics software
• To avoid altering the evidence use:
• Write-blockers devices
- Enable you to boot to Windows without writing data to the evidence drive

24
 Setting Up Your Workstation for Digital
Forensics
• Basic requirements
• A workstation running Windows 7 or later
• A write-blocker device
• Digital forensics acquisition tool
• Digital forensics analysis tool
• Target drive to receive the source or suspect disk data
• Spare PATA or SATA ports
• USB ports

25
 Objectives

• Describe the field of digital forensics

• Explain how to prepare computer investigations and summarize the difference
between public-sector and private-sector investigations
• Explain the importance of maintaining professional conduct
• Describe how to prepare a digital forensics investigation by taking a systematic
approach
• Describe procedures for private-sector digital investigations
• Explain requirements for data recovery workstations and software
• Summarize how to conduct an investigation, including critiquing a case

26
 Summary of conducting an Investigation

• Gather resources identified in investigation plan

• Items needed
• Original storage media
• Evidence custody form
• Evidence container for the storage media
• Bit-stream imaging tool
• Forensic workstation to copy and examine your evidence
• Securable evidence locker, cabinet, or safe

27
 Acquiring an Image of Evidence Media

• First rule of computer forensics

• Preserve the original evidence
• Conduct your analysis only on a copy of the data
• Several vendors provide MS-DOS, Linux, and Windows acquisition tools
• Windows tools require a write-blocking device when acquiring data from FAT or NTFS
file systems

28
 Analyzing Your Digital Evidence

• Your job is to recover data from:

• Deleted files
• File fragments
• Complete files
• Deleted files linger on the disk until new data is saved on the same physical
location
• Tools can be used to retrieve deleted files
• Autopsy

29
 Completing the Case (1 of 2)

• You need to produce a final report

• State what you did and what you found
• If required, use a report template
• Report should show conclusive evidence
• Suspect did or did not commit a crime or violate a company policy

30
 Completing the Case (2 of 2)

• Keep a written journal of everything you do

• Your notes can be used in court
• Answer the six Ws:
• Who, what, when, where, why, and how
• You must also explain computer and network processes
• Tools such as Autopsy and ProDiscover Basic can generate reports in different
styles: plain text, HTML and Excel

31
 Critiquing the Case

• Ask yourself the following questions:

• How could you improve your performance in the case?
• Did you expect the results you found? Did the case develop in ways you did not
expect?
• Was the documentation as thorough as it could have been?
• What feedback has been received from the requesting source?
• Did you discover any new problems? If so, what are they?
• Did you use new techniques during the case or during research?

32
 Summary

• Digital forensics involves systematically accumulating and analyzing digital

information for use as evidence in civil, criminal, and administrative cases
• Investigators need specialized workstations to examine digital evidence
• Public-sector and private-sector investigations differ; public-sector typically
require search warrants before seizing digital evidence
• Always use a systematic approach to your investigations

33
 References

• Nelson, B., Phillips, A., & Steuart, C. (2019). Guide to computer forensics and
investigations. Cengage Learning.
• Hayes, D. R. (2015). A practical guide to computer forensics investigations.
Pearson Education.
• Nelson, B., Phillips, A., & Steuart, C. (2015). Guide to computer forensics and
investigations: Processing digital evidence. Cengage Learning.
• Sachowski, J. (2018). Digital Forensics and Investigations: People, Process, and
Technologies to Defend the Enterprise. CRC Press.

34