Guide to Computer Forensics

and Investigations
Fifth Edition

Module 1
Understanding The Digital Forensics
Profession and Investigations
 An Overview of Digital Forensics

• Digital forensics
– The application of computer science and
investigative procedures for a legal purpose
• involving the analysis of digital evidence after proper
search authority, chain of custody, validation with
mathematics, use of validated tools, repeatability,
reporting, and possible expert presentation.
– In October 2012, an ISO standard for digital
forensics was ratified - ISO 27037 Information
technology - Security techniques

2
 An Overview of Digital Forensics

• The Federal Rules of Evidence (FRE) was created

to ensure consistency in federal proceedings
– Signed into law in 1973
– Many states’ rules map to the FRE
• FBI Computer Analysis and Response Team
(CART) was formed in 1984 to handle cases
involving digital evidence
• By late 1990s, CART teamed up with Department
of Defense Computer Forensics Laboratory (DCFL)

3
 An Overview of Digital Forensics

• The Fourth Amendment to the U.S. Constitution

protects everyone’s right to be secure from search
and seizure
– Separate search warrants might not be necessary
for digital evidence
• Every U.S. jurisdiction has case law related to the
admissibility of evidence recovered from computers
and other digital devices

4
 Digital Forensics and Other Related
Disciplines

• Investigating digital devices includes:

– Collecting data securely
– Examining suspect data to determine details such as
origin and content
– Presenting digital information to courts
– Applying laws to digital device practices
• Digital forensics is different from data recovery
– Which involves retrieving information that was
deleted by mistake or lost during a power surge or
server crash
5
 Digital Forensics and Other Related
Disciplines

• Forensics investigators often work as part of a

team, known as the investigations triad

6
 Digital Forensics and Other Related
Disciplines
• Vulnerability/threat assessment and risk
management
– Tests and verifies the integrity of stand-along workstations
and network servers
• Network intrusion detection and incident response
– Detects intruder attacks by using automated tools and
monitoring network firewall logs
• Digital investigations
– Manages investigations and conducts forensics analysis of
systems suspected of containing evidence

7
 A Brief History of Digital Forensics

• By the early 1990s, the International Association of

Computer Investigative Specialists (IACIS)
introduced training on software for digital forensics
• IRS created search-warrant programs
• ASR Data created Expert Witness for Macintosh
• ILook is currently maintained by the IRS Criminal
Investigation Division
• AccessData Forensic Toolkit (FTK) is a popular
commercial product

8
 Understanding Case Law

• Existing laws can’t keep up with the rate of

technological change
• When statutes don’t exist, case law is used
– Allows legal counsel to apply previous similar cases
to current one in an effort to address ambiguity in
laws
• Examiners must be familiar with recent court
rulings on search and seizure in the electronic
environment

9
 Developing Digital Forensics
Resources

• To supplement your knowledge:

– Develop and maintain contact with computing,
network, and investigative professionals
– Join computer user groups in both the pubic and
private sectors
• Example: Computer Technology Investigators
Network (CTIN) meets to discuss problems with
digital forensics examiners encounter
– Consult outside experts

10
 Preparing for Digital Investigations

• Digital
investigations
fall into two
categories:
– Public-sector
investigations
– Private-sector
investigations

11
 Preparing for Digital Investigations

• Public-sector investigations involve government

agencies responsible for criminal investigations and
prosecution
• Fourth Amendment to the U.S. Constitution
– Restrict government search and seizure
• The Department of Justice (DOJ) updates
information on computer search and seizure
regularly
• Private-sector investigations focus more on policy
violations
12
 Understanding Law Enforcement
Agency Investigations

• When conducting public-sector investigations, you

must understand laws on computer-related crimes
including:
– Standard legal processes
– Guidelines on search and seizure
– How to build a criminal case
• The Computer Fraud and Abuse Act was passed in
1986
– Specific state laws were generally developed later

13
 Following Legal Processes

• Digital Evidence First Responder (DEFR)

– Arrives on an incident scene, assesses the situation,
and takes precautions to acquire and preserve
evidence
• Digital Evidence Specialist (DES)
– Has the skill to analyze the data and determine when
another specialist should be called in to assist
• Affidavit - a sworn statement of support of facts
about or evidence of a crime
– Must include exhibits that support the allegation
14
 Understanding Private-Sector
Investigations

• Private-sector investigations involve private

companies and lawyers who address company
policy violations and litigation disputes
– Example: wrongful termination
• Businesses strive to minimize or eliminate litigation
• Private-sector crimes can involve:
– E-mail harassment, falsification of data, gender and
age discrimination, embezzlement, sabotage, and
industrial espionage

15
 Understanding Private-Sector
Investigations

• Businesses can reduce the risk of litigation by

publishing and maintaining policies that employees
find easy to read and follow
• Most important policies define rules for using the
company’s computers and networks
– Known as an “Acceptable use policy”
• Line of authority - states who has the legal right to
initiate an investigation, who can take possession
of evidence, and who can have access to evidence

16
 Understanding Private-Sector
Investigations

• Business can avoid litigation by displaying a

warning banner on computer screens
– Informs end users that the organization reserves the
right to inspect computer systems and network traffic
at will

17
 Understanding Private-Sector
Investigations

• Sample text that can be used in internal warning

banners:
– Use of this system and network is for official
business only
– Systems and networks are subject to monitoring at
any time by the owner
– Using this system implies consent to monitoring by
the owner
– Unauthorized or illegal users of this system or
network will be subject to discipline or prosecution
18
 Understanding Private-Sector
Investigations

• Businesses are advised to specify an authorized

requester who has the power to initiate
investigations
• Examples of groups with authority
– Corporate security investigations
– Corporate ethics office
– Corporate equal employment opportunity office
– Internal auditing
– The general counsel or legal department

19
 Understanding Private-Sector
Investigations

• During private investigations, you search for

evidence to support allegations of violations of a
company’s rules or an attack on its assets
• Three types of situations are common:
– Abuse or misuse of computing assets
– E-mail abuse
– Internet abuse
• A private-sector investigator’s job is to minimize
risk to the company

20
 Understanding Private-Sector
Investigations

• The distinction between personal and company

computer property can be difficult with cell phones,
smartphones, personal notebooks, and tablet
computers
• Bring your own device (BYOD) environment
– Some companies state that if you connect a
personal device to the business network, it falls
under the same rules as company property

21
 Maintaining Professional Conduct

• Professional conduct - includes ethics, morals,

and standards of behavior
• An investigator must exhibit the highest level of
professional behavior at all times
– Maintain objectivity
– Maintain credibility by maintaining confidentiality
• Investigators should also attend training to stay
current with the latest technical changes in
computer hardware and software, networking, and
forensic tools
22
 Preparing a Digital Forensics
Investigation

• The role of digital forensics professional is to gather

evidence to prove that a suspect committed a crime
or violated a company policy
• Collect evidence that can be offered in court or at a
corporate inquiry
– Investigate the suspect’s computer
– Preserve the evidence on a different computer
• Chain of custody
– Route the evidence takes from the time you find it
until the case is closed or goes to court
23
 An Overview of a Computer Crime
• Computers can contain information that helps law
enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
• Law enforcement officers should follow proper procedure
when acquiring the evidence
– Digital evidence can be easily altered by an overeager
investigator
• A potential challenge: information on hard disks might be
password protected so forensics tools may be need to be
used in your investigation

24
 An Overview of a Company Policy
Violation

• Employees misusing resources can cost

companies millions of dollars
• Misuse includes:
– Surfing the Internet
– Sending personal e-mails
– Using company computers for personal tasks

25
 Taking a Systematic Approach

• Steps for problem solving

– Make an initial assessment about the type of case
you are investigating
– Determine a preliminary design or approach to the
case
– Create a detailed checklist
– Determine the resources you need
– Obtain and copy an evidence drive

26
 Taking a Systematic Approach

• Steps for problem solving (cont’d)

– Identify the risks
– Mitigate or minimize the risks
– Test the design
– Analyze and recover the digital evidence
– Investigate the data you recover
– Complete the case report
– Critique the case

27
 Assessing the Case

• Systematically outline the case details

– Situation
– Nature of the case
– Specifics of the case
– Type of evidence
– Known disk format
– Location of evidence
• Based on these details, you can determine the
case requirements

28
 Planning Your Investigation

• A basic investigation plan should include the

following activities:
– Acquire the evidence
– Complete an evidence form and establish a chain of
custody
– Transport the evidence to a computer forensics lab
– Secure evidence in an approved secure container

29
 Planning Your Investigation

• A basic investigation plan (cont’d):

– Prepare your forensics workstation
– Retrieve the evidence from the secure container
– Make a forensic copy of the evidence
– Return the evidence to the secure container
– Process the copied evidence with computer
forensics tools

30
 Planning Your Investigation

• An evidence custody form helps you document

what has been done with the original evidence and
its forensics copies
– Also called a chain-of-evidence form
• Two types
– Single-evidence form
• Lists each piece of evidence on a separate page
– Multi-evidence form

31
Planning Your Investigation

32
Planning Your Investigation

33
 Securing Your Evidence

• Use evidence bags to secure and catalog the

evidence
• Use computer safe products when collecting
computer evidence
– Antistatic bags
– Antistatic pads
• Use well padded containers
• Use evidence tape to seal all openings
– CD drive bays
– Insertion slots for power supply electrical cords
and USB cables
34
 Securing Your Evidence

• Write your initials on tape to prove that evidence

has not been tampered with
• Consider computer specific temperature and
humidity ranges
– Make sure you have a safe environment for
transporting and storing it until a secure evidence
container is available

35
 Procedures for Private-Sector High-
Tech Investigations

• As an investigator, you need to develop formal

procedures and informal checklists
– To cover all issues important to high-tech
investigations
– Ensures that correct techniques are used in an
investigation

36
 Employee Termination Cases

• The majority of investigative work for termination

cases involves employee abuse of corporate
assets
• Incidents that create a hostile work environment
are the predominant types of cases investigated
– Viewing pornography in the workplace
– Sending inappropriate e-mails
• Organizations must have appropriate policies in
place

37
 Internet Abuse Investigations

• To conduct an investigation you need:

– Organization’s Internet proxy server logs
– Suspect computer’s IP address
– Suspect computer’s disk drive
– Your preferred computer forensics analysis tool

38
 Internet Abuse Investigations

• Recommended steps
– Use standard forensic analysis techniques and
procedures
– Use appropriate tools to extract all Web page URL
information
– Contact the network firewall administrator and
request a proxy server log
– Compare the data recovered from forensic analysis
to the proxy server log
– Continue analyzing the computer’s disk drive data

39
 E-mail Abuse Investigations

• To conduct an investigation you need:

– An electronic copy of the offending e-mail that
contains message header data
– If available, e-mail server log records
– For e-mail systems that store users’ messages on a
central server, access to the server
– Access to the computer so that you can perform a
forensic analysis on it
– Your preferred computer forensics analysis tool

40
 E-mail Abuse Investigations

• Recommended steps
– Use the standard forensic analysis techniques
– Obtain an electronic copy of the suspect’s and
victim’s e-mail folder or data
– For Web-based e-mail investigations, use tools such
as FTK’s Internet Keyword Search option to extract
all related e-mail address information
– Examine header data of all messages of interest to
the investigation

41
Attorney-Client Privilege Investigations

• Under attorney-client privilege (ACP) rules for an

attorney
– You must keep all findings confidential
• Many attorneys like to have printouts of the data
you have recovered
– You need to persuade and educate many attorneys
on how digital evidence can be viewed electronically
• You can also encounter problems if you find data in
the form of binary files

42
Attorney-Client Privilege Investigations

• Steps for conducting an ACP case

– Request a memorandum from the attorney directing
you to start the investigation
– Request a list of keywords of interest to the
investigation
– Initiate the investigation and analysis
– For disk drive examinations, make two bit-stream
images using different tools for each image
– Compare hash signatures on all files on the original
and re-created disks
43
Attorney-Client Privilege Investigations
• Steps for conducting an ACP case (cont’d)
– Methodically examine every portion of the disk drive and
extract all data
– Run keyword searches on allocated and unallocated
disk space
– For Windows OSs, use specialty tools to analyze and
extract data from the Registry
– For binary data files such as CAD drawings, locate the
correct software product
– For unallocated data recovery, use a tool that removes
or replaces nonprintable data

44
Attorney-Client Privilege Investigations

• Steps for conducting an ACP case (cont’d)

– Consolidate all recovered data from the evidence bit-
stream image into folders and subfolders
• Other guidelines
– Minimize written communications with the attorney
– Any documentation written to the attorney must
contain a header stating that it’s “Privileged Legal
Communication—Confidential Work Product”
– Assist the attorney and paralegal in analyzing data

45
 Industrial Espionage Investigations

• All suspected industrial espionage cases should be

treated as criminal investigations
• Staff needed
– Computing investigator who is responsible for disk
forensic examinations
– Technology specialist who is knowledgeable of the
suspected compromised technical data
– Network specialist who can perform log analysis and
set up network sniffers
– Threat assessment specialist (typically an attorney)

46
 Industrial Espionage Investigations
• Guidelines when initiating an investigation
– Determine whether this investigation involves a
possible industrial espionage incident
– Consult with corporate attorneys and upper
management
– Determine what information is needed to
substantiate the allegation
– Generate a list of keywords for disk forensics and
sniffer monitoring
– List and collect resources for the investigation

47
 Industrial Espionage Investigations

• Guidelines (cont’d)
– Determine goal and scope of the investigation
– Initiate investigation after approval from management
• Planning considerations
– Examine all e-mail of suspected employees
– Search Internet newsgroups or message boards
– Initiate physical surveillance
– Examine facility physical access logs for sensitive
areas

48
 Industrial Espionage Investigations

• Planning considerations (cont’d)

– Determine suspect location in relation to the
vulnerable asset
– Study the suspect’s work habits
– Collect all incoming and outgoing phone logs
• Steps to conducting an industrial espionage case
– Gather all personnel assigned to the investigation
and brief them on the plan
– Gather resources to conduct the investigation

49
 Industrial Espionage Investigations

• Steps (cont’d)
– Place surveillance systems at key locations
– Discreetly gather any additional evidence
– Collect all log data from networks and e-mail servers
– Report regularly to management and corporate
attorneys
– Review the investigation’s scope with management
and corporate attorneys

50
 Understanding Data Recovery
Workstations and Software
• Investigations are conducted on a computer
forensics lab (or data-recovery lab)
– In data recovery, the customer or your company just
wants the data back
• Computer forensics workstation
– A specially configured PC
– Loaded with additional bays and forensics software
• To avoid altering the evidence use:
– Write-blockers devices
• Enable you to boot to Windows without writing data to
the evidence drive
51
Setting Up Your Workstation for Digital
Forensics

• Basic requirements
– A workstation running Windows XP or later
– A write-blocker device
– Digital forensics acquisition tool
– Digital forensics analysis tool
– Target drive to receive the source or suspect disk
data
– Spare PATA or SATA ports
– USB ports

52
Setting Up your Workstation for Digital
Forensics

• Additional useful items

– Network interface card (NIC)
– Extra USB ports
– FireWire 400/800 ports
– SCSI card
– Disk editor tool
– Text editor tool
– Graphics viewer program
– Other specialized viewing tools

53
 Conducting an Investigation
• Gather resources identified in investigation plan
• Items needed
– Original storage media
– Evidence custody form
– Evidence container for the storage media
– Bit-stream imaging tool
– Forensic workstation to copy and examine your
evidence
– Securable evidence locker, cabinet, or safe

54
 Understanding Bit-Stream Copies
• Bit-stream copy
– Bit-by-bit copy of the original storage medium
– Exact copy of the original disk
– Different from a simple backup copy
• Backup software only copy known files
• Backup software cannot copy deleted files, e-mail
messages or recover file fragments
• Bit-stream image
– File containing the bit-stream copy of all data on a disk
or partition
– Also known as “image” or “image file”

55
 Understanding Bit-stream Copies

• Copy image file to a target disk that matches the

original disk’s manufacturer, size and model

56
Acquiring an Image of Evidence Media
• First rule of computer forensics
– Preserve the original evidence
• Conduct your analysis only on a copy of the data
• Several vendors provide MS-DOS, Linux, and
Windows acquisition tools
– Windows tools require a write-blocking device when
acquiring data from FAT or NTFS file systems

57
 Using ProDiscover Basic to Acquire a
USB Drive

• Create a work folder for data storage

• Steps to perform an acquisition on a USB drive:
– On the USB drive locate the write-protect switch and
place the drive in write-protect mode
– Start ProDiscover Basic
– In the main window, click Action, Capture Image
from the menu
– Click the Source Drive drop-down list, and select
the thumb drive

58
Using ProDiscover Basic to Acquire a
USB Drive

59
 Using ProDiscover Basic to Acquire a
USB Drive
• Steps (cont’d)
– Click the >> button next to the Destination text box
– Type your name in the Technician Name text box
– ProDiscover Basic then acquires an image of the
USB thumb drive
– Click OK in the completion message box

60
Using ProDiscover Basic to Acquire a
USB Drive

61
 Analyzing Your Digital Evidence

• Your job is to recover data from:

– Deleted files
– File fragments
– Complete files
• Deleted files linger on the disk until new data is
saved on the same physical location
• Tools can be used to retrieve deleted files
– ProDiscover Basic

62
 Analyzing Your Digital Evidence

• Steps to analyze a USB drive

– Start ProDiscover Basic
– Create a new case
– Type the project number
– Add an Image File
• Steps to display the contents of the acquired data
– Click to expand Content View
– Click All Files under the image filename path

63
 Analyzing Your Digital Evidence

• Steps to display the contents of the acquired data

(cont’d)
– Click letter1 to view its contents in the data area
– In the data area, view contents of letter1
• Analyze the data
– Search for information related to the complaint
• Data analysis can be most time-consuming task

64
Analyzing Your Digital Evidence

65
 Analyzing Your Digital Evidence

• With ProDiscover Basic you can:

– Search for keywords of interest in the case
– Display the results in a search results window
– Click each file in the search results window and
examine its content in the data area
– Export the data to a folder of your choice
– Search for specific filenames
– Generate a report of your activities

66
Analyzing Your Digital Evidence

67
Analyzing Your Digital Evidence

68
Analyzing Your Digital Evidence

69
 Completing the Case
• You need to produce a final report
– State what you did and what you found
• Include ProDiscover report to document your work
• Repeatable findings
– Repeat the steps and produce the same result
• If required, use a report template
• Report should show conclusive evidence
– Suspect did or did not commit a crime or violate a
company policy

70
 Completing the Case
• Keep a written journal of everything you do
– Your notes can be used in court
• Answer the six Ws:
– Who, what, when, where, why, and how
• You must also explain computer and network
processes

71
 Critiquing the Case

• Ask yourself the following questions:

– How could you improve your performance in the
case?
– Did you expect the results you found? Did the case
develop in ways you did not expect?
– Was the documentation as thorough as it could have
been?
– What feedback has been received from the
requesting source?

72
 Critiquing the Case

• Ask yourself the following questions (cont’d):

– Did you discover any new problems? If so, what are
they?
– Did you use new techniques during the case or
during research?

73
 Summary

• Digital forensics involves systematically

accumulating and analyzing digital information for
use as evidence in civil, criminal, and
administrative cases
• Investigators need specialized workstations to
examine digital evidence
• Public-sector and private-sector investigations
differ; public-sector typically require search
warrants before seizing digital evidence

74
 Summary
• Always use a systematic approach to your
investigations
• Always plan a case taking into account the nature of
the case, case requirements, and gathering evidence
techniques
• Both criminal cases and corporate-policy violations
can go to court
• Plan for contingencies for any problems you might
encounter
• Keep track of the chain of custody of your evidence

75
 Summary
• Internet abuse investigations require examining
server log data
• For attorney-client privilege cases, all written
communication should remain confidential
• A bit-stream copy is a bit-by-bit duplicate of the
original disk
• Always maintain a journal to keep notes on exactly
what you did
• You should always critique your own work

76