Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.
The purpose of this paper is to review the basic methodologies and the appropriate processes that a computer forensic investigator goes through in conducting an investigation. It will give an idea to the reader about the planning and organization of an investigator who is involved in a computer related crime, the ways in which he will conduct the investigation such as basic preparation, use of the required tools and techniques, acquisition and analysis of the data, role in giving testimony, use of forensic laboratories or the guidance of all the staff working under the main investigator and even planning network forensics all of which are related to his work.
The Computer Forensics Investigation Plan
A computer forensic investigates data that can be retrieved form storage media of a computer such as a hard disk, it is also considered that to be a successful computer forensic the knowledge of many different platforms to perform computing is a must, for our case we will consider you as the chief forensic investigator in the state of Virginia, as a part of private enterprise you are assigned the role of planning the computer investigation of a suspected criminal activity, we will see from your perspective how you should conduct all the necessary procedures.
We don’t just need science; we need good science (Evans, 2004)
Always analyze major issues in preparing for an investigation. The crime scene is considered to be a very sensitive place in terms of collecting proofs and evidences which are in many cases very vulnerable and can be very easily be manipulated so special attention is needed in every aspect of recovery methods in order to gain as much as possible.
Before arriving at the scene of crime, it is mandatory that you should always take a systematic approach in problem solving like making an initial assessment about the case then determining a preliminary approach to the case, after that, create a detailed checklist of the objectivity of the case, analyze the resources needed, identify all the risks and try the very best to minimize them, also outline all the details known about the case until then in a systematic manner such as the situation in which you will be arriving, the nature and specifics of the case, the type of computer forensic tools which will be needed at the case and to check on the specific operating systems in disposal which assist in the forensics investigation process.
Once at the crime scene, try to gather evidence to prove that the suspect violated the company policy or committed a crime, since this is a private sector investigation it includes corporate businesses, other agencies of government are not involved such as law enforcement. The law enforcement agencies act according to the federal freedom of information act or laws of similar descent according to their territory in all process. Investigating and taking control of the computer incident scene in the corporate environment is considered to be much easier than in the criminal environment because the incident scene is often the workplace, these workplaces have databases of computer hardware and software which can also be analyzed, proper tools can be adopted to analyze a policy violation if any.
Many companies either state their policy right away or show some warning, some apply both whose purpose is to tell that they hold the complete right to inspect the computing assets of their respective subjects at will, in addition to that every company must describe when an investigation can be initiated and allow the corporate investigators to know that under what circumstances they can examine the computer of an employee, if the investigator finds about the wrongdoing of the employee then the company can file a criminal complaint against him.
If any evidence is discovered of a crime during the investigation then the management must be informed of the incident, checking the incident itself that it meets the elements of criminal law, work with the corporate attorney and also to see that you don’t violate any other constitutional law in all the procedure.
Preparing for a computer seizure for search operation is one of the most important point in conducting computing investigation. In order to do this, some answers from the victim and an informant may be needed, informant can be a detective for the case, a witness, a manager or any coworker to the specific person of interest. If you can identify the computing system, then estimate things such as how many computer systems to process and size of drive on the computer of the suspect, also determine which operating systems and hardware are involved. Determining location of the evidence and the case’s type is very crucial, it allows to determine if computers can be removed. If the removal of the computers will cause harm to the company then it should not be done in the interest of the company, problems in investigation may arise if the files are most probably hidden, encrypted or stored in some offsite, if the computers are not allowed to be taken for investigation then the investigator must determine the resources to acquire digital evidence and the proper tools which will be needed to make data acquisition faster.
Also determine who is in charge of the respective systems (in corporate environment, usually one person’s assistance from the company is required in this regard). Always keep some specialists who work on many different types of operating systems, servers or databases and properly educate those specialists in investigative techniques.
Once arrived, securing the crime scene or the specific computer is the foremost priority of the investigation team, the purpose is to preserve the evidence and keep the acquired information confidential. The investigative team should define a secure perimeter using a special type of yellow barrier tape, it should also have the legal authority to keep the unnecessary people out but do not fail to comply the other law enforcers or obstruct justice in any manner possible.
Only professional task force should handle the crime scene for evidence as any non professional law enforcer can manipulate or even destroy the vital piece of evidence which may be very crucial in the overall scenario. Remember that corporate investigators does not seize evidence very often, more brief guidelines for processing an incident or crime scene goes as follows, keeping a journal to document the activities, securing the scene in the sense of being professional and courteous with onlookers, removing all those personnel who are not associated with investigation, taking all the proper and necessary recordings in video of the area surrounding the computer, at the same time paying attention to all the major and minor details. Sketching the incident of the crime scene and checking the computers as soon as possible.
While at the crime scene, don’t ever cut the electrical power to a running system by pulling the plug unless it is an older Windows or DOS system (which in these days are very rarely found anywhere), instead apply a live acquisition by the proper acquisition methods if possible, when shutting down computers with Operating Systems such as Windows XP or later version of it or Linux/Unix then always remember to perform a normal shutdown of the system, this helps to prevent log files.
Try the very best to save the data from the current applications as much safe as possible, properly record all active windows or other shell sessions, and photograph the scene.
Also make notes of everything that is done even when copying the data from a live computer of a suspect, save open files to external storage medium such as a hard drive or on a network share (if somehow the saving mentioned is causing problems then save with some new titles), then close applications and shut down the computer.
Further guidelines include on bagging and tagging the evidence which is done as follows, first assign a person to collect (and log) the evidence, then tag all the evidence which is collected with the present date/time, serial number or other features. Always keep two separate and different logs of evidence collected an keep control of the evidence at the crime scene.
Always look for information related to the investigation such as passwords, PINs, passphrases, bank accounts and so on. Look at papers in places such as the drawers or even try to search the garbage can. Collect all the related documents and media which is associated with investigation such as manuals or software/hardware. Using a technical advisor of high degree experience and knowledge is a must, technical advisor can help to list the tools which are required to make progress at the crime scene, it is the person which can guide the investigation team about where to locate data and help the team in extracting the log records or other evidence form large servers. The advisor can also create or help to make a search warrant by finding what is needed by the investigators for the warrant.
More brief responsibilities of the technical advisor includes to know the aspects of the seized systems, to direct the main investigator on handling sensitive material, helping in securing the crime scene, helping to plan the strategy for search and seizure (documenting it), document all the activities and helping in conducting the search and seizure.
Documenting all the evidence in the lab is also a necessary process, which involves in recording the activities and findings as the investigators work; this can be done by maintaining a journal to record the steps taken as the investigator process evidence. The main objective is to produce the same results when the main investigator or any other repeat the steps that were taken to collect evidence, a journal serves as reference that documents all the methods that have been used to process evidence.
For proper documenting the evidence, always create and use an evidence custody form, which serves the following functions such as identify who has handled the evidence and identify the evidence itself, properly listing all time and date of the handling of the evidence. Other information can also be added to the form such as specific section listing and hash values, try to include any other detailed information that might need for reference.
Evidence forms or labels are present in the evidence bags that can be used to document the evidence.
Always prepare the tools using information from incidents and crime scenes, the initial response field kit should be light in weight and easy to transport form one place to another. An addition to the initial kit is the extensive response field kit which must include all the necessary tools.
The items in an initial response field kit may include one digital camera or 35mm camera with film and flash, one flashlight, one laptop computer, one large capacity drive, one IDE ribbon cable (ATA-33 or ATA-100), one SATA cable, one forensic boot media containing the preferred utility, one FireWire or USB dual wire protect external bay, ten evidence log forms, one notebook or dictation recorder, ten computer evidence bags (antistatic bags), twenty evidence labels, twenty tape and tags, one permanent ink marker, ten external USB devices such as a thumb drive or a larger portable hard drive.(cited in Nelson, Phillips & Stewart , 2004)
Tools in an extensive response field kit may include varieties of technical manuals ranging from operating systems references to forensic analysis guides, one initial response field kit, one portable PC with SCSI card for DLT tape drive or suspect’s SCSI drive, two electrical power strips, one additional hand tools including bolt cutters, pry bar and hacksaw, one pair of leather gloves and disposable latex gloves (assorted sizes), one hand truck and luggage cart, ten large garbage bags and large cardboard boxes with packaging tape, one rubber bands of assorted sizes, one magnifying glass, one ream of print paper, one small brush of cleaning dust fro suspect’s interior CPU cabinet, ten USB thumb drives of varying sizes, two external hard drives (200 GB or larger) with power cables, assorted converter cables and five additional assorted hard drives for data acquisition.
When choosing an appropriate tool, the investigator must be sure that the tool is properly functioning, and that the right person handles it during the investigation. In order to prepare the investigator’s team, investigator must review all the facts, plans and objectives with the entire team assembled, the main objectives of the scene processing should be to collect evidence and secure it. The speed of the response from the team is very crucial as it can cause evidence such as digital evidence to be lost.
A computer forensics lab is a place where computer forensics conduct investigation, store evidence and house the necessary equipment, hardware and software. A typical lab manager duties involve many tasks such as proper management for case study, helping to provide reasonable consensus for effective decisions, keep everyone up to date with proper ethics and any modifications if made, keeping a financial account and proper check and balance of the entire facility, keeping it updated according to latest trends in technology and promoting the required quality assurance, appoint a schedule that suits everyone, estimating the potential of investigators and assessing their requirements, proper estimation of results ( preliminary or final) or when they are expected, strictly manage all lab policies and keep an overall look on the safety and security of the entire facility. The staff members have duties which include knowledge and training of equipments relating to computer systems such as Operating systems and their file types, software and hardware. Other staff duties include knowledge and training of technical skills, investigative skills, deductive reasoning. Planning lab budget involves making proper divisions in costs on all bases from daily to annual expenses, gathering the available data of the past expenses and use it to predict or prepare for any future costs. The main expense for a lab comes from the trained personnel or the equipment they use such as hardware or software devices in their disposal. Always estimate the number of computer cases the lab expects to cover, always being notified about the advancements in technology in the respective field, try to make assessment about the computer related crimes ( their kinds), and use this information to plan ahead lab requirements and costs.
While making good computer technology available is important, the costs and benefits of upgrading all computers to “state of the art” must be weighed. (cited in schwabe, 2001)
Check statistics from the “Uniform Crime Report”, identify the specific software used to commit crimes. If you’re setting a lab for any private corporation, remember to check the inventory of computing such as software or hardware, previous reported problems and the ongoing and future advancements in related computer technology. Managing time is also a major concern when choosing on the computing equipment for the purchase. Most of the investigation is conducted in the lab, so it should be secure as evidence may is very crucial and cannot afforded to be lost, manipulated, damaged, destroyed or corrupted. Always put emphasis in providing a secure and safe environment, keep proper inventory control of the assets (inform in advance if more supplies are needed). A safe and secure facility should always preserve the evidence data and keep it as it is, the minimum requirements for a secure facility are a medium or small sized room with true walls form the floor to ceiling, proper locking mechanism provided with the door access, secure container and log for visitors. Almost all of the workers in the facility should be given the same level of access. Always brief the staff about the security policy, it is a must. The evidence lockers used in the lab must be kept secure enough such that any unauthorized person may not access it at all, some recommendations for securing storage containers include locating the containers in a properly defined restricted area, limiting people who will have the access to the storage containers, keeping a record on the authority of everyone who has access to the containers and keeping the containers locked when not in use.
If a combination of locking system is used, then provide equal measure of security for both the contents of the container and the combination, always destroy the combinations that were previously held when setting up new combinations, only those persons who have the proper authority should be allowed to change the lock combinations, try to change the combination every three or six months or whenever required. When using a key padlock, authorize a personnel as the main key custodian, keep duplicate keys and print sequential numbers on all of them, keep a registry which has a record of keys that are assigned to the authorized personnel, conduct audits on weekly or monthly basis, try to place keys in a secure container after taking an inventory of keys, keep the level of security the same for all the keys and evidence containers, replace the old locks and keys on an annual basis and don’t use a master key for several locks.
Containers should be strong, safe and as much indestructible as possible with external padlock system and a cabinet inside, try to get a media safe if possible (to protect evidence form damage), keep an evidence storage room (if possible) in lab and keep a well organized evidence log which is used to keep update on all the occasions when the container of the evidence is opened or closed. Always maintain a security policy and enforce it (log signing in for visitors in a way that those personnel are considered to be visitors who are not assigned to lab, these visitors should always be escorted in all times), using indicators (visible and/or audible) is also a necessity inside lab premises, install an intrusion alarm system and hire a guard force for your lab.
In civil litigation, investigator may return the evidence after using it (when issued a discovery order),if the investigator cannot retain the evidence then make sure it make the correct type of copy( copy in cases of data from disks or other hard drives, logical or bit stream), ask the supervisor or your client attorney on the requirements, you should usually only have one chance, create a duplicate copy of the evidence file, make minimum two images of evidence(digital) using separate methods, try to copy the host protected part of a disk, size is the biggest concern ( such as in raid “redundant array of independent disks”) systems which have terabytes of data),
Some investigation needs to be conducted in the laboratory because of the proper tools and technicians available there who know how to deal with the evidence correctly without tampering it, Investigator might need to have the proper permission of the authority in charge if it wants the system moved to the laboratory, when permission provided, the investigator have a given time frame in which it must perform its task and then deliver the system back to where it came from.
Log files are those which lists all the actions that have happened, such as in Web servers which maintain log files to list every request made to the main Web server, using the log file analysis tools, the user can gave a very good assessment of where the visitors came from or how often they return or even how they go through a site, in addition to log files there are “cookies”, when used, they enable the Webmasters to log far more detailed information about the user on how it is accessing a site.
Logs are also considered to be an independent, machine-generated record of what happened within a network for both system and user activity. When set up properly, and with the appropriate due care, logs can provide an immutable fingerprint of system and user activity. In many cases, the logs tell a story as to what really happened in an incident. They can tell you what systems were involved; how the systems and people behaved; what information was accessed; who accessed it; and precisely when these activities took place. (Cited in Musthaler, 2010)
Given the overview of logs on what they can provide, the regulations such as the PCI DSS (payment card industry DSS), the FRCP (civil procedures federal rules), the HIPAA (which is an act regarding the health insurance) and many other regulations, all consider logs and log management to be the very basic and essential necessity for proper and efficient data management. Logs can be used to capture many vital sources of information which beside protecting the core data can also help in supporting forensic analysis and incident response if a data breach has occurred or other forms of electronic crime, such as fraud.
The overall log monitoring can be hurdled because of the extremely large amount of fair data capture and the unwillingness, lack of will or errors in properly managing, analyze and correlating that data. The overall conclusion (in mismanagement) can cost hugely as if some suspicious activity or breach really happens, then a lot of time ( possibly many months ) may require to detect the fault, there is even no guarantee if the fault will be detected. In order to have logs admissible in court as evidence of a crime, an organization must prepare and execute due care with the log data.
Log data must be viewed and treated like a primary evidence source. Here are some best practices that can help ensure log data and log management practices properly support forensic investigations. Have a clear corporate policy for managing logs across the entire organization. Document what is being logged and why, as well as how the log data is captured, stored and analyzed. Ensure that 100% of log-able devices and applications are captured and the data is unfiltered. Have centralized storage and retention of all logs, with everything in one place and in one format. Ensure the time synchronization of logs to facilitate correlating the data and retrieving data over specific timeframes. Ensure the separation of duties over logs and log management systems to protect from potential internal threats such as a super user or administrator turning off or modifying logs to conceal illicit activity. Always maintain backup copies of logs. Have a defined retention policy that specifies the retention period across the organization for all log data. Organizations should work with legal counsel to determine the best time frames and have log data incorporated into an overall data retention policy. Have a defined procedure to follow after an incident. Test the incident response plan, including the retrieval of backup log data from offsite storage. (Musthaler, 2010)
Further quotes form Brian Musthaler include,
If an incident or data breach is suspected, there are several steps to take right away:
Increase the logging capability to the maximum and consider adding a network sniffer to capture additional detail from network traffic. In an incident, it’s better to have more data rather than less. Freeze the rotation or destruction of existing logs to prevent the loss of potential evidence. Get backup copies of the logs and make sure they are secure. Deploy a qualified investigations team to determine the situation. (Musthaler, 2010)
With the appropriate care, logs can provide solid forensic evidence when and if it is needed, as far as the job of a computer forensic investigator is concerned, his log begins when he starts an investigation, logs can be made of many things such as events, system security, firewall, audit, access and so on. (cited in PFI, 2010)
Equipment can be recorded in the log by many ways, audio logs can be made which can store audio files, picture logs can be made which can store digital pictures taken during an investigation. Equipments are recorded according to the type of its contents with the appropriate tools. The final log is stored at the very end after possibly remodifying or revising previous logs.
For the process of acquiring data in an investigation, we will consider following techniques,
There are two types of data acquisition, static acquisition and live acquisition which basically involves the following four type of acquisition techniques, bit-stream disk-to-disk, bit-stream disk-to-image file, sparse and Logical. Bit-stream disk-to-image file is the most common method, it makes many copies and all of the copies made are replications of the original drive bit-by bit, similar type of process is happening in everyday scenario concerning a common personal computer, when we copy and paste files from one place to another or when we make multiple copies of a data file then the exact copy of the original data file is made available in many places. It is very simple, easy and with very nominal training can be performed on the target system therefore it is the most preferred method as well. The tools used in it are EnCase, ProDiscoer, FTK, SMART.
Disk-to-disk method (bit-stream) is applied in the case of disk-to-image copy being impossible mainly due to hardware or software errors or incompatibilities, this problem comes when at most of the time dealing with very old drives. It adjusts target disk’s geometry to match the drive of the suspect (geometry of track configuration), tools used in this form are SafeBack, EnCase, , and Snap Copy.
Logical acquisition and Sparse acquisition are used when the total time of the investigator is very short and the target disk is very large. This type of acquisition only searches and retrieves the selected file which is of particular interest, comparing this to Sparse acquisition which deals with data collection but again the data collected is very nominal.
Data analysis(for a computer forensic investigator) includes mostly examining digital evidence which depends on the following main factors, the nature of the case, the amount of data to process, the search warrants and court orders and the company policies. Scope creep happens when investigation expands beyond the original description which should be avoided in all cases. Few basic principles apply to about the entire computer forensics cases such as the approach taken depends largely on the specific type of case being investigated.
Basic steps for all computer forensics investigations for analysis include the following points such as for target drives, using only recently wiped media that have been reformatted and inspected for computer viruses, noting the condition of the computer when seized, removing the original drive from the computer to check date and time values in the system’s CMOS, record how to acquire data from the suspect’s drive, process the data methodically and logically, listing all folders and files on the image or drive
Also try to examine the contents of all data files in all folders starting at the root directory of the volume partition, try to recover all the file contents that are password-protected and can be related to the investigation, identifying the function of every executable file that does not match known hash values and maintain control of all evidence and findings and also document everything as being progressed through the examination.
Refining and modifying the investigation plan includes determining the scope of the investigation and what the case requires, determining if all the information should be collected and what to do in case of scope creep. The main aim should be to start with a plan but remain flexible in the face of new evidence.
Data can be analyzed using many tools from the forensic toolkit such as supported file systems (FAT12/16/32, NTFS, Ext2fs, and Ext3fs). FTK can a very powerful tool that can analyze data from several sources including image files from other vendors, it produces a case long file. FTK also analyzes compressed files, reports can also be generated in it using bookmarks. Other analyze tools include searching for keywords (indexed search, live search or using advanced searching techniques such as stemming). In order to identify different types of data such as images, email and so on, the investigator should examine the data format and then according to that format, it should deal with the file with the appropriate tool.
Working with law enforcement
The status of individuals under law is no longer in doubt: individuals are subjects of law and as such are accorded rights. Yet rights are illusory without the procedural capability to enforce them. They are no more than high-minded principles if individuals whose rights have been violated have no avenue for complaint and relief. (Cited in Pasqualucci, 2003)
There are basically two types of computer investigations, public and private(corporate), the public investigations involve government agencies responsible for criminal investigation and prosecution, the organizations involved must observe legal guidelines provided to them by the authority, other legal rights such as law of search and seizure helps in protecting rights of all people including suspects.
Of the everyday problems of the criminal justice system itself, certainly the most delicate and probably the most difficult concern the proper ways of dealing individually with individuals.(Cited in Winslow, 1968)
Investigator working with the law enforcement must always abide by the federal and constitutional laws in conducting and performing entire process of investigation. Criminal cases at law enforcement goes through three main steps, first the victim (any individual or company) will contact the law enforcement agency by making a complaint, then acting on behalf of that complaint, the investigator will be assigned by the government authority to conduct a balanced and proper investigation and will be asked to present all the findings directly to the law agency, the investigator will interview the complaint and will write a report about the crime, police blotter may provide a record of clues to crimes that have been committed previously (related to the ongoing investigation). The investigator collect, delegate and process the information related to the complaint. As the investigator build a case, the information is turned over to the prosecutor.
An affidavit is a sworn statement of support of facts about evidence of a crime which is submitted to a judge to request a search warrant; the judge must approve and sign a search warrant before it can be used to collect evidence. The chain of custody is the route the evidence takes from the time investigator finds it until the case is closed or goes to court, throughout the case, the evidence is confiscated by the investigator who has the proper right under the law to maintain and keep the evidence immutable.
Other concerns which need to be addressed when bringing law enforcement to the scene is that the officers should follow proper procedure when acquiring the evidence such as in digital evidence which can be easily altered by an overeager investigator, special concerns should be given to the information on storage media such as hard disks which are password protected.
Network forensics is the job of finding the information about how a perpetrator or an attacker gained access to a network, it involves systematic tracking of incoming and outgoing traffic to find out how an attack was carried out or how an event occurred on a network, the forensic expert should be very well experienced and be familiar with many previously related cases of network because the intruders which the network forensic searches for always leave some sort of trail behind, this trail
Cite This Work
To export a reference to this article please select a referencing stye below:
Related ServicesView all
DMCA / Removal Request
If you are the original writer of this essay and no longer wish to have your work published on the UKDiss.com website then please: