Guidelines On Digital Forensic PDF
Guidelines On Digital Forensic PDF
FORENSICS IN NIGERIA
DRAFT
PREPARED BY:
MARCH 2014
TABLE OF CONTENTS
1. Introduction
..
1.1 Background
..
1.2 Objectives
..
1.3 Methodology
3
3
5
5
5
3. Data Recovery ..
16
20
20
20
20
29
Forensics Portals
Glossary of Terms
..
.
FIGURES
2.1 Sample of a Single-evidence Form ..
2.2 Sample of a Multi-evidence Form ..
SELECTED REFERECES
30
34
34
34
35
37
39
39
40
43
12
13
.46
1. INTRODUCTION
1.1 BACKGROUND
Today, virtually every business and personal document is prepared on a computer and
mobile, hand-held devices. E-mail records and pages visited on the Internet yield even
more critical information about our daily lives. More importantly, the information stored on a
computer can make or break a business or a person or a group of people or a court case.
Computer and digital forensics is the science of retrieving and chronicling evidence located
on a computer's hard drives and other sources of Electronically Stored Information (ESI)
such as floppies, CDs and DVDs, external drives, thumb drives and voice mail servers, so
that it can be presented as evidence in a court of law. It is the use of specialized techniques
for recovery, authentication and analysis of electronic data when a case involves issues
relating to reconstruction of computer usage, examination of residual data, and
authentication of data by technical analysis or explanation of technical features of data and
computer usage.
Computer and digital forensics is useful for the detection and investigation of crime
committed on computers, computer networks, the internet and other digital devices with the
intent of giving digital evidence in law courts and tribunals. It is also the professional
extraction and handling of potential electronic evidence from any digital device or digital
storage media to assist investigators, prosecutors, and the trier of fact (Judges, magistrates
and members of tribunals) in a criminal justice system in arriving at the right judgment in
litigation.
The practice of computer and digital forensics includes the use of formal, accepted
techniques for collecting, analyzing, and presenting suspect data in court, concentrating on
rules of evidence, the legal processes, the integrity and perpetuity of evidence, reporting of
facts, and the preparation and presentation of expert testimony. It requires the use of
specialized techniques for recovery, authentication, and analysis of computer data, typically
of data which may have been deleted or destroyed.
Similar to all forms of forensic science, computer and digital forensics comprises of the
application of the law to computer technology. Computer and digital forensics deals with the
preservation, identification, extraction, and documentation of computer evidence. Like
many other forensic sciences, computer forensics involves the use of sophisticated
technological tools and procedures that must be followed to guarantee the accuracy of the
preservation of evidence and the accuracy of results concerning computer evidence
processing.
Computer forensics requires specialized expertise that goes beyond normal data collection
and preservation techniques available to end-users or system support personnel. The
applications of computer forensics require specialized training and techniques and state of
the art forensics tools and software to evaluate the potential usefulness of computer data,
to retrieve and interpret "hidden" data from computer media, and to provide chain of
custody and data accuracy with court-accepted techniques.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2
were inducted by the Computer Forensics Institute, Nigeria (CFIN) at a special induction
ceremony on 29th November, 2012. The Nigeria Police Force also commenced the training
and Certification of its officers in Digital and Computer Forensics in August, 2013.
However, the lack of Standards for the implementation of digital, computer and electronic
evidence in Nigeria has left a big vacuum in the entire process.
The NITDA Act empowers NITDA to develop such Standards. Furthermore, this study is in
line with the Scope, Goals and Objectives of ICT4D Governance and Legislature generally
and Law of Evidence in particular.
1.2 OBJECTIVES:
The objectives of this Standards document are as follows:
1.2.1. To develop the Standards for the implementation of digital and computer forensics in
Nigeria in terms of electronic evidence acquisition, examination, analysis and presentation
in a manner that will be admissible in the law courts; and
1.2.2. To develop standards for: (a) forensic laboratories where admissible forensic
evidence could be extracted; and (b) develop standards for the quality of forensic
laboratory staff.
1.3 METHODOLOGY
1.3.1 Prepare a Draft of the Standards for Forensic Evidence.
1.3.2 Make the Draft Standards available to Stakeholders.
1.3.3 Review the Draft with relevant Stakeholders at the National Technical Committee
(NTC) Meeting on Standards for Digital and Computer Forensics in Nigeria.
1.3.4 Obtain comments from Stakeholders and take these into consideration in preparing a
Final Draft of the Standards for Digital and Computer Forensics in Nigeria.
1.4 SCOPE OF THE STANDARDS
This standards document, in this version, will cover all areas of digital and computer
forensic evidence obtained from computers, laptops, servers and other digital or electronic
storage devices, including phones and mobile devices, video, photo, digital fingerprints and
other biometric data, etc. This document shall be subject to review and update from time to
time in view of the dynamic nature of information technology. Appendix A shows the
forensic portals. Appendix B contains the Glossary of digital forensics terms.
This Standards document is aimed principally at police officers, law-enforcement and
security agents, military officers, prosecutors, anti-corruption agencies, regulatory
agencies, other public sector investigators and private sector investigators working for their
organizations and those working in conjunction with law enforcement. This document is
meant for all those involved in the investigation and prosecution of incidents or offences
which require the collection and examination of digital evidence in Nigeria.
This document is intended for use in the recovery of computer-based electronic evidence; it
is not a comprehensive guide to the examination of that evidence. It is a standards
Standards for Digital and Computer Forensics in Nigeria Draft v0.2
document. It is, therefore, the responsibility of the users of this document to obtain the
necessary training required for carrying out digital and computer forensic examination and
analysis. This document was developed to ensure that in a crime which involves a hightech element the digital forensics examiner collects all relevant evidence in a timely and
appropriate manner.
2.
(c) Furnishes training in the proper Recognition, Collection, Analysis and Preservation of
physical / electronic evidence.
Methodology:
(a) Acquire the evidence without altering or damaging the original.
(b) Authenticate that the recovered evidence is the same as the original seized.
(c) Analyze the data without modifying it.
(The methodology is discussed in full later in this section)
Categories of Digital Evidence:
Hardware
Software:
o Data
o Programs
Digital Evidence:
Digital data that can establish that:
a crime has been committed or
can provide a link between a crime and its victim or
provide a link between a crime and its perpetrator.
Categories:
Text
Audio
Image
Video
Where Forensic Evidence Resides:
Computer Networks:
Application Layer:
Web pages, Online documents.
E-Mail messages.
News group archives.
Archive files.
10
An evidence custody form helps you document what has been done with the original
evidence and its forensics copies.
There are two types:
Single-evidence form (see Figure 2:1
Multi-evidence form (Figure 2:2)
11
Case No:
Unit Number:
Investigator:
Nature
of
Case:
Location
where
evidence was
found:
Item # ID
Description of
evidence
Vendor Name
Evidence recovered
by:
Date &
Time
Evidence placed in
Locker by:
Evidence processed
by
Date &
Time
Disposition of Evidence
Page
____
__of
12
Case No:
Investigator:
Nature of
Case:
Location
where
evidence
was found:
Description of Evidence
Vendor Name
Item #1
Item #2
Item #3
Item #4
Item #5
Item #6
Item #7
Item #8
Item #9
Item #10
Evidence
recovered by:
Date &
Time
Evidence placed
in Locker by:
Item #
Evidence processed by
Date &
Time
Disposition of Evidence
Date &
Time
Page__ of__
__
13
14
o SHA1 Hass
o SHA256 Hass
15
3. DATA RECOVERY
3.1 INTRODUCTION
Data recovery is the process of retrieving or recovering or salvaging either a deleted or a
damaged or inaccessible data from a failed electronic media such as computer Hard Disk
Drives, RAIDs, Removable Media (Flash Drives, Zip Drives, Memory Cards, etc.), Optical
Devices (CDs, DVDs),Tape Cartridge, Phones and mobile devices, and other storage
media.
One of the most important functions of a Digital and Computer Forensics Examiner is
recovery of data that has been deleted maliciously or intentionally for criminal purposes or
to conceal evidence. Data recovery is also useful in discovering digital action(s) of the
suspect that could link him or her to a crime, e.g. homicide where all physical evidence
regarding a suspected murder case has been neatly concealed but electronic evidence
found on the suspects laptop showed that the suspect ordered a substance used in
poisoning the victim.
Therefore, in order to effectively handle this aspect of the job, the examiner must have at
least an elementary technical knowledge of Data Recovery and how the data storage
media work. The hard disk (HD) drive will be used for this purpose in this document. This
part is divided into five parts: data, the essence of data recovery, scope of data recovery,
elementary knowledge of hard disk, and steps in data recovery.
3.2. DATA
Data, as used here includes not only multi-media files such as data documents, images,
voices that stored in file system or data base, but also hardware information, network
addresses and network services, which are used to store and manage those information.
3.3 THE ESSENCE OF DATA RECOVERY
Data recovery means retrieving lost, deleted, unusable or inaccessible data that lost for
various reasons. Data recovery not only restores deleted or lost files but also recovers
corrupted data and data maliciously deleted for criminal intent. On the basis of different lost
reason, we can adopt different data recovery methods.
3.4 THE SCOPE OF DATA RECOVERY
There are two purposes of data recovery:
for forensic investigation and
for disaster recovery.
We can also divide the scope of data recovery according to different symptoms, namely:
Standards for Digital and Computer Forensics in Nigeria Draft v0.2
16
3.4.1 Files loss: If files are lost because of deletion and formating (malicious, intentional
and unintentional, criminal intention), format or Ghost clone error. files recovery tools such
as FTK, EnCase, etc. can be used to recover data.
3.4.2 System problem: The main symptom is that you cannot enter the system or the
system is abnormal or computer closes down. There are complex reasons for this, thus we
need adopt different processing methods. Reasons for this symptom may be the key file of
system is lost or corrupted, there is some bad track on hard disk, the hard disk is damaged,
MBR or DBR is lost, or the CMOS setting is incorrect and so on.
3.4.3 Bad track of hard disk: There are logic and physical bad track. Logic bad track is
mainly caused by incorrect operation, and it can be restored by software. While physical
bad track is caused by physical damage, which is real damage, we can restore it by
changing the partition or sector.
3.4.4 Partition problem: If partition cannot be identified and accessed, or partition is
identified as unformatted, partition recovery tools such as Partition Table Software can be
used to recover data.
3.4.5 Password loss: If files, system password, database or account is lost, some special
decryption and password cracking tools can be used.
3.4.6 Files repair: For some reasons, some files cannot be accessed or used, or the
contents are full of corrupted characters, in which the contents are changed and thus
become unreadable.
Inspect all hard drives, floppy drives, and other available electronic media using
methods that will allow the data to be preserved and exhibited in court.
Explore and recover deleted files.
Explore unallocated space and file slack for data, including hidden data.
Explore areas of the media for fragmented data.
Explore swap files.
Locate and document current and deleted e-mail (sent and received).
17
Extract e-mail and e-mail conversations, identify all e-mail addresses and Web
URLs.
Our focus in this document is on approved methodology for data recovery for forensic
evidence. Data recovery, in most cases, may require exhaustive, detailed work to recover
the data. However, any data recovery case for forensic purpose typically involves the same
general process for recovering such lost data for disaster recovery.
The steps are stated below:
1. Make a Log Book Entry: Make a log book entry as to date and time, details of the
suspect HD or device to be recovered, Case number, Name of Suspect, etc.
2. Evaluate the media and provide an initial determination of the extent of the damage,
potential for recovery, and work involved to recover the data.
3. Estimate how much work will be involved, how much data can be recovered, what steps
will need to be taken, and what the cost will be to recover the data.
4. Mirror or Image the suspect HDD. In this step, the forensic examiner perform an image
copy or bit-stream copy of the HDD, using Write-blockers to protect the original HD from
being written to by the Operating System (OS). If possible, make two (2) copies for
yourself as the Examiner and one (1) copy ready for the defense (or the prosecutor)
depending on which side you are. (If this process fails due to hardware problem or physical
damages to the HD, then perform step 5 before returning to perform step 4. If you can
perform this step without any problem, then skip step 5.)
5. Repair any electrical or physical damage that may be preventing the media from
accessing the data. (A suspect may have deliberately smashed the HD or the computer
system or device on the floor to prevent possible data recovery). This step 5 must be
carried out in a Clean Room and with the appropriate tools since Hard Drives and finely
tuned and sealed tightly to protect it from dust.
6. Recover the data through "logical" (software) processes that work with the raw data or
image of the data on the disk or drive. World class software such AccessData FTK,
EnCase, Belkasoft Evidence Centre are examples of software that can be used for this
purpose. You must ensure that the software you are using is properly licensed to you or
your organization, and that the updates/upgrades are up-to-date.
7. Examine the recovered (imaged) data to be sure it is intact and usable and extract a list
of the results of the recovery (what data was recovered, etc.).
8. Return the original media (HD, etc.) to the appropriate authority from where you
collected the HD for data recovery.
9. Analysis: Conduct a detailed analysis of the recovered data based on the scope of your
assignment (or charges brought against the suspect): e.g. MS-Office Document files, PDF
files, Photos (JPEG, etc.), Videos, SMS, MMS, Emails, Contact Book, Databases, Apps,
Call logs, GPS data, etc. Restrict yourself to the scope of your assignment.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2
18
10. Report Writing: Prepared a detailed report of your findings and digital evidence found
during your examination in respect of the examination. Review the draft copy and submit a
final draft.
3.6 COMPRESSED, ENCRYPTED OR PASSWORD-PROTECTED FILES
Compressed file archives such as zip, rar, tar, cab, 7z, etc. will be extracted and examined
to determine if they contain relevant file types. The processing must be able to recursively
extract files from the archive because a compressed archive can be included in another
compressed archive.
Encrypted or password-protected files must be identified and a log generated. Once it is
clear that this is the situation, attempts will be made to crack the password. Whatever
actions are taken, must be well-documented in the report (including name(s) of tools used).
19
4.0
ESTABLISHING A
LABORATORY
DIGITAL
AND
COMPUTER
FORENSIC
Site access.
o It is desirable that the site be designed with access from at least two
directions to ensure access to the site despite traffic conditions, street
maintenance work, acts of sabotage, or other unforeseen site disruptions.
Emergency and service access.
20
Dense shrubbery within 3.048 m (10 ft) of the building or any security fence.
Large clusters of shrubbery, 0.61 m (2 ft) to 1.83 m (6 ft) high.
Tall evergreens with branches less than 1.52 m (5 ft) above grade.
Parking design:.
o Like landscaping, the design of parking areas should consider site security
requirements.
Exterior walls.
o Materials. Bullet-resistant, such as concrete.
o Windows. Reflective and/or bullet-resistant glazing where exposed to public
view.
o Window sill design. Windows should be installed flush with the exterior
surface of the wall, or if recessed, provide a sloped exterior sill to prevent the
placement of explosives at the window.
21
o
HVAC intakes.
o Locate in areas inaccessible to the public, such as in secured fenced areas.
Design to prevent the possibility of someone introducing a tear gas canister
into the intake.
o If located in parking areas, design to prevent introduction of vehicle exhaust.
o Locate away and upwind from fume hood exhaust.
Visitor access protection.
o Administrative or security receptionist at visitors access should be protected
behind bullet-resistant glazing with adjacent walls of similar bullet-resistive
construction.
Duress alarms.
o Call assistance or duress/panic alarms should be installed in key areas
throughout the facility and concealed as appropriate. Locations might include
visitor reception desk, bulk chemical storage spaces, weapons ranges,
parking garages, and clandestine lab storage and exam spaces.
Laboratory tours.
o If the facility is to be designed to accommodate guided tours, tour groups
should not be allowed into the laboratory spaces. Guided tours should be
conducted through the main corridor system with viewing through strategically
placed windows in the corridor walls providing viewing into the laboratory
spaces.
Interior glazing.
o It is recommended that the use of windows between laboratory spaces be
maximized.
o This is a feature designed to enhance safety of personnel by allowing those in
one laboratory space to view the activities of those in other spaces that might
be of a more hazardous nature.
Equipment and systems service and maintenance.
o Equipment and systems that are part of the building and might require
periodic service and maintenance should be located outside of the laboratory
spaces, and particularly outside of any space where evidence are stored.
Such equipment and systems might include, but are not limited to, electrical
panels, walk-in cooler compressors, and water purification filters.
Corridors.
o Primary circulation and exit corridors: 1.83 m (6 ft) wide, minimum.
o Secondary circulation and non-exit corridors: 1.37 m (41/2 ft) wide, minimum.
Doors.
o Double doors to all laboratory sections and spaces that are expected to
receive oversized evidence or equipment. Double doors shall consist of a
0.914 m (36 in) wide active leaf and an 0.457 m (18 in) wide inactive leaf.
o Freight elevator doors minimum 1.22 m (48 in) wide.
22
Security Design
23
Laboratory floors.
o Chemical-resistant sheet vinyl or vinyl tiles with welded seams.
Laboratory walls.
o Epoxy in all spaces considered highly biologically or chemically hazardous,
such as examination rooms, bulk drug analysis, and bulk chemical storage.
o Semi-gloss latex enamel in all other spaces.
Laboratory ceilings.
o Epoxy in all spaces considered highly biologically or chemically hazardous,
such as examination rooms, bulk drug analysis, and bulk chemical storage.
o Suspended acoustical in all other spaces.
Non-laboratory spaces.
o Acceptable interior finish standards for offices and non-laboratory support
spaces.
Laboratory casework.
o Standard laboratory casework with utility access space behind base cabinets.
o Steel or wood preferred, plastic laminate acceptable.
o Maximize use of flexible laboratory casework systems.
Files.
o Generally, one four-drawer filing cabinet, or the equivalent file storage space,
should be provided for each forensics analyst at the area of the nonlaboratory workstation.
Special considerations.
o Acoustics.
o Reflective surfaces.
o Vibration-proof flooring.
o High-strength flooring.
24
The forensic laboratory consists of various laboratories within the overall facility.
These various laboratories are commonly referred to as laboratory sections or units.
The recommended guidelines provided here are intended to serve as checklists for
the design of laboratory space in the technical laboratory sections. Many of the items
listed, such as laboratory workstations, are universal components of technical
sections. Other items may or may not be necessities, depending upon the needs
and size of individual laboratory sections.
In some instances area (m2, ft2) of floor space or linear footage (lin m, ft) of bench
space have been assigned to represent minimum guidelines for space requirements.
Items and areas that are not assigned measurements will vary as needed by
individual laboratories and the sections within those laboratories.
For most laboratory sections the checklist below follows a common theme. This
theme consists of the concept of a main laboratory space for each section, and
supporting spaces that are enclosed rooms with direct adjacency to the main
laboratory. The main laboratory is where each analyst will have an individual
laboratory workstation. The adjacent supporting spaces will be spaces devoted to
specific procedures or equipment items and that might be used by each analyst from
time to time during the course of his or her examinations.
May be designed as computer hardware space. Chemical and biological hazards will
not be present.
Main computer evidence laboratory space.
o Individual analyst laboratory workstation: 7.62 lin m (25 lin ft) bench space per
analyst.
25
o Miscellaneous computer evidence bench: 7.62 lin m (25 lin ft) bench space
per analyst.
o Independent data line with two jacks.
Various types of telephone lines.
Evidence room.
o 9.29 m2 (100 ft2) per analyst.
Equipment room.
o 9.29 m2 (100 ft2) per analyst.
o Administrative work spaces.
o May be included as part of the main computer evidence laboratory space.
o Supervisors office: 13.935 m2 (150 ft2).
o Analysts administrative workstation: 9.29 m2 (100 ft2) per analyst.
o Independent data line with two jacks.
o Various types of telephone lines.
Dry fire-suppression system.
26
o
o
o
o
o
Book stacks.
Periodicals shelves.
Study carrel(s)
Study table(s)
Computer information terminal(s)
Building:
Mechanical.
o Heating, ventilation, and air conditioning (HVAC) equipment rooms.
o Air handling systems.
o Fume and biological hood exhaust equipment.
o Laboratory compressed air and vacuum systems.
o Central plant water treatment systems.
o Domestic hot and cold water systems.
o Fire extinguishing systems and sprinkler control rooms.
o Instrument gas manifold and distribution systems.
Communications.
o Computer rooms and/or closets.
o Telephone equipment rooms and/or closets.
o Premise wiring rooms and/or closets.
o Data line provisions
Electrical.
o Service entrance and main switch gear.
o Emergency generator.
o Uninterruptable power supply (UPS) equipment.
o Electrical closets.
o Electrical service panels.
Staff use.
o Lunch room.
o Break room(s).
o Locker rooms with showers.
o Rest rooms.
o Other.
o Janitorial closet(s).
o Passenger and/or freight elevator(s).
o Recycling.
o Lab coat cleaning.
o Shipping and receiving.
o Hazardous waste disposal.
o Compressed gas cylinder storage.
o General waste disposal.
Technical Support
Storage.
o General laboratory storage.
o General supplies storage.
o Long-term files storage.
27
o Chemical storage.
Dry fire-suppression system.
Evidence.
o Evidence receiving and return counter from and to submitting agencies.
o After-hours secure evidence lockers.
o Evidence disbursal and return counter to and from laboratory sections.
o Evidence custodian workstations: minimum 5.95 m2 (64 ft2).
o Evidence supervisor office: minimum 11.48 m2 (120 ft2).
o Evidence storage.
General evidence storage shelving.
Refrigerated and frozen evidence storage: refrigerators and freezers or walk-in
units.
Secure narcotics storage.
Secure valuables storage.
Flammable evidence storage: fire-rated, ventilated storage room, or ventilated
flammable storage cabinets.
Bio-hazardous evidence storage.
Gun storage.
Long-term evidence storage.
o Evidence workroom.
Mail room features for packaging, sending, and receiving evidence.
Layout countertop space with sink.
Photocopy and facsimile.
o Evidence case review/triage/conference room(s).
o Evidence drying.
General Technical:
Vehicle processing.
o Securable and air conditioned/heated forensic garage bay(s).
At least one bay large enough to accommodate vans and motor homes.
o Workbench space: 3.048 lin m (10 lin ft) per bay.
o One shop sink per bay.
o Laser or remote fiber light source.
o Vehicle lift (fixed or portable).
o High-intensity lighting.
o Additional pull-down lighting.
o Tools storage.
o Evidence drying room(s).
o Compressed air.
Forensic photography.
o Can be utilized for laboratory support only or offer full services, including
public relations and graphic arts.
o Film and print for black and white and color processing.
o Chemical storage and mixing space.
o Studio.
o Finishing.
o Computer-aided design and drafting (CADD) for graphic arts.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2
28
A Reception Room
The Main Digital Forensics Lab Room
The above space is just adequate for a start and should be evaluated periodically as the
activities increase.
29
4.4.2 FURNISHING
4.4.2.a The Reception:
4.4.2.b
The Main Digital Forensics Laboratory Room (for six (6) Forensics
Examiners):
4.5
30
Commercial Companies like Dell, HP, IBM make good computers, but may have
restrictions on customer repair and customization. Opening the case can void all
warranties.
These companies do not design their systems with forensics in mind.
Dell recently started to partner with forensic software vendors.
Ask: Has the company actually delivered forensic systems or are they just a website
wonder?
A company which specializes in forensic workstations should have:
o The forensic experience to know what components are required, what the
methodologies are and know how to use them.
o A warranty policy that is No Hassle for the end user.
o A policy that allows forensically qualified individuals to open the system.
without voiding an warranty.
o Test the systems to ensure they are forensically sound - not all computers are
not created equal test results must be repeatable.
o The company should be responsive to customer needs and allow
configuration changes based on customer specific needs.
At the end of the day you want systems that will do the job.
How fast the job gets done will in part depend on your budget.
Is the system configured to accept the media routinely received in a investigation?
Is the hardware easy to use?
Do you need portable forensic systems?
Portables come in a variety of shapes and sizes.
Some are built specifically for mobile forensics.
Laptops can work well as long as you test before you buy or buy from a forensics
company that has tested them.
The portable solution you choose should give you the same basic capabilities as you
lab systems.
31
4.5.2
The following items and the stated minimum quantities are to be provided for the kick-off
of a e-Crime and Digital Forensics Laboratory:
2 Nos. UFED Touch Ultimate Phone Forensics Solution, with Chinex and Link
Analysis (plus 2 Nos. extra batteries) Ruggedized.
2 Nos. UFED 4PC Phone Forensics Solution, with Chinex and Link Analysis.
2 Nos. Susteens Secured View 3 - svNUC Mobile Forensics Kit with the Intel Next
Unit of Computing.
2 Nos. AccessData Mobile Phone Examiner MPE+
1 No. Belkasoft Evidence Center Enterprise (multi-user) 2014 or latest
2 Nos. Belkasoft Photo Forgery Detection Plugin
Belkasoft Live RAM Capturer -- (Free of charge)
FTK Imager (Free of Charge)
2 Nos. FTK 5.0 Licenses (AccessData)
1 No. FTK Lab (10 users Licenses)
1 No. FTK CIRT 200 nodes
2 Nos. EnCase 7.09 or latest
1 No. Paraben Device Seizure
1 No. Paraben P2 Commander
4 Sets Write-Blockers
2 Nos. Image MASSter 4000PRO/WipePRO X2 IT & FORENSIC Extension Ready
(Std i7)
2 Nos. Image MASSter RAPID IMAGE Complete Solutions - IT & FORENSIC with
SCSI Cables, Image MASSter SATA Adapters, IDE Adapters, Expansion Boxes,
Accessories,
2 Nos. Encryption Tools
8 Nos. Forensic Workstations with min. of 1TB HDD, >2.5MHz speed,
4 No. Forensic Laptops (for field work) with min. of 1TB HDD, >2.5MHz speed,
Ruggedized, etc.
12 Nos. Microsoft Office Licenses
2 No. HP Deskjet 5500 or similar
2 No. LaserJet HP P2035 Printer or similar
8 Nos. UPS 650v
1 No. Scanner HP Scanjet G2710 or similar
12 Nos. Backup 2TB Hard Drives
12 Nos. Anti-Virus Software Licenses
Electrical Cabling and Extension cords
4 Nos. Internet Routers (Optional: for field use)
3 months Internet Subscription for 4 Nos. WIFI Routers (Optional)
12 Nos. Packs of Latex Gloves
32
Tool Sets:
For the Lab a good starting list is:
High quality screwdriver set (small ones also) I like Craftsman and Wiha
Small Wire Cutters
Small Needle Nose Pliers
Assortment of Torx bits
Assortment of Hex head bits
Small flashlight
Technicians Mirror (the kind you can adjust the mirror head)
Hemostats (forceps - Radio Shack calls them as solder helpers)
Static Wrist Strap
Small Digital Multimeter
Container of computer screws
Spare Hard Disk Jumpers (large and small)
Spare Cables (Floppy, IDE, SATA, SCSI)
Assortment of Gender Changers
Assortment of Molex Male and Female Cables
Latex type gloves
33
5.2
PROFILE/QUALIFICATIONS
FORENSICS EXAMINERS
OF
DIGITAL
AND
COMPUTER
(a) At inception, the Head of Unit/Department must have at least three (3) to five (5) years
practical experience in the field of computer and digital/mobile forensics and
particularly, in setting up new digital forensics laboratories for the detection and
investigation of electronic crime (e-Crime). Where this level of experience is not
available in-house, an organization should either arrange with its digital forensics
consultant/consulting firm to provide the necessary support, training and supervision
until such a time that capable hands are available in the unit or department or recruit
from outside your organization.
(b) Must be:
i. A Certified Forensics Examiner through any of:
34
(f) Ability to image and use the recommended digital forensics hardware/software and
tools, following sound digital and computer forensics approved methodology;
(g) For those who will act as Expert Witnesses in the courts, a minimum of Bachelors
degree or HND in any field and success in an aptitude test is mandatory. For
Laboratory Assistants, a minimum of OND in any field plus (b)i. are minimum
requirements;
(h) Must have an analytical and investigative mind; and
(i) Must be ready to work long and odd hours.
5.3
(a) The Consultant for digital and computer forensics laboratory implementation assignment
(individual or company) must have at least seven (7) years experience in the field of
computer/digital/mobile forensics;
(b) Must have previous experience in setting up new digital forensics laboratories for the
detection and investigation of electronic crime (e-Crime);
Standards for Digital and Computer Forensics in Nigeria Draft v0.2
35
(c) Experience in the management and implementation of large scale computerization and
infrastructural development in the public sector;
(d) Ability and experience in providing training in computer/digital/mobile forensics;
(e) Must be:
i. A Certified Forensics Examiner through any of:
36
37
38
5.5
JOB DESCRIPTION:
COMPUTER FORENSICS EXAMINER/INVESTIGATOR
39
APPENDIX A
FORENSIC PORTALS
Art forensics concerns the art authentication cases to help research the work's
authenticity. Art authentication methods are used to detect and identify forgery,
faking and copying of art works, e.g. paintings.
Computational forensics concerns the development of algorithms and software to
assist forensic examination.
Criminalistics is the application of various sciences to answer questions relating to
examination and comparison of biological evidence, trace evidence, impression
evidence (such as fingerprints, footwear impressions, and tire tracks), controlled
substances, ballistics, firearm and toolmark examination, and other evidence in
criminal investigations. In typical circumstances evidence is processed in a Crime
lab.
Digital forensics is the application of proven scientific methods and techniques in
order to recover data from electronic / digital media. Digital Forensic specialists work
in the field as well as in the lab.
Forensic accounting is the study and interpretation of accounting evidence
Forensic aerial photography is the study and interpretation of aerial photographic
evidence
Forensic anthropology is the application of physical anthropology in a legal setting,
usually for the recovery and identification of skeletonized human remains.
Forensic
archaeology is
the
application
of
a
combination
of archaeological techniques and forensic science, typically in law enforcement.
Forensic astronomy uses methods from astronomy to determine past celestial
constellations for forensic purposes.
Forensic botany is the study of plant life in order to gain information regarding
possible crimes.
Forensic chemistry is the study of detection and identification of illicit drugs,
accelerants used in arson cases, explosive and gunshot residue.
Forensic dactyloscopy is the study of fingerprints.
Forensic document examination or questioned document examination answers
questions about a disputed document using a variety of scientific processes and
methods. Many examinations involve a comparison of the questioned document, or
components of the document, with a set of known standards. The most common
type of examination involves handwriting, whereby the examiner tries to address
concerns about potential authorship.
Forensic DNA analysis takes advantage of the uniqueness of an individual's DNA to
answer forensic questions such as paternity/maternity testingand placing a suspect
at a crime scene, e.g. in a rape investigation.
Forensic engineering is the scientific examination and analysis of structures and
products relating to their failure or cause of damage.
Forensic entomology deals with the examination of insects in, on and around human
remains to assist in determination of time or location of death. It is also possible to
determine if the body was moved after death using entomology.
40
Forensic geology deals with trace evidence in the form of soils, minerals and
petroleum.
Forensic geophysics is the application of geophysical techniques such as radar for
detecting objects hidden underground or underwater.[41]
Forensic intelligence process starts with the collection of data and ends with the
integration of results within into the analysis of crimes under investigation[42]
Forensic Interviews are conducted using the science of professionally using
expertise to conduct a variety of investigative interviews with victims, witnesses,
suspects or other sources to determine the facts regarding suspicions, allegations or
specific incidents in either public or private sector settings.
Forensic limnology is the analysis of evidence collected from crime scenes in or
around fresh-water sources. Examination of biological organisms, in
particular diatoms, can be useful in connecting suspects with victims.
Forensic linguistics deals with issues in the legal system that requires linguistic
expertise.
Forensic meteorology is a site-specific analysis of past weather conditions for a point
of loss.
Forensic odontology is the study of the uniqueness of dentition, better known as the
study of teeth.
Forensic optometry is the study of glasses and other eye wear relating to crime
scenes and criminal investigations
Forensic pathology is a field in which the principles f medicine and pathology are
applied to determine a cause of death or injury in the context of a legal inquiry.
Forensic podiatry is an application of the study of feet footprint or footwear and their
traces to analyze scene of crime and to establish personal identity in forensic
examinations.
Forensic psychiatry is a specialized branch of psychiatry as applied to and based on
scientific criminology.
Forensic psychology is the study of the mind of an individual, using forensic
methods. Usually it determines the circumstances behind a criminal's behavior.
Forensic seismology is the study of techniques to distinguish the seismic signals
generated by underground nuclear explosions from those generated by
earthquakes.
Forensic serology is the study of the body fluids.[43]
Forensic toxicology is the study of the effect of drugs and poisons on/in the human
body.
Forensic video analysis is the scientific examination, comparison and evaluation of
video in legal matters.
Mobile device forensics is the scientific examination and evaluation of evidence
found in mobile phones, e.g. Call History and Deleted SMS, and includes SIM Card
Forensics
Trace evidence analysis is the analysis and comparison of trace evidence including
glass, paint, fibres and hair.
Wildlife Forensic Science applies a range of scientific disciplines to legal cases
involving non-human biological evidence, to solve crimes such as poaching, animal
abuse, and trade in endangered species.
41
Blood Spatter Analysis is the scientific examination of blood spatter patterns found at
a crime scene to reconstruct the events of the crime.
Source: http://en.wikipedia.org/wiki/Forensic_science
42
APPENDIX B
GLOSSARY OF TERMS
Acquisition: The process of creating a duplicate copy of digital media for the purposes of
examining it.
Agent: A person who serves the interests of an agency that has jurisdiction over criminal or
civil matters involving digital evidence. In many jurisdictions and circumstances, the agent
will be a law-enforcement officer. However, an agent may also be a non-sworn individual of
suitable qualification who is serving the interests of the parties involved in a criminal or civil
investigation or dispute.
Buddy list: A collection of screen names, usually compiled by a user for instant
messaging on his or her personal computer or cellular telephone.
Duplicate digital evidence: An accurate digital reproduction of all data objects contained
on the original physical item.
Electronic device: A device that operates on principles governing the behavior of
electrons.
Electronic evidence: Information and data of investigative value that are stored in or
transmitted by an electronic device.
Copy (v.): Accurately reproduce information contained on an original physical item,
independent of the electronic storage device (e.g., logical file copy). Maintains contents, but
attributes may change during the reproduction. Deleted files are not copied. Only the files
which the operating system (OS) can recognize are copied.
Encryption: Any procedure used in cryptography to convert plain text into cipher-text so as
to prevent anyone but the intended recipient from reading the data.
First responder: The initial responding law enforcement officer(s) and/or other public
safety official(s) arriving at the scene.
Digital evidence: Information stored or transmitted in binary form that may be relied on in
court.
Digital forensics: A branch of the forensic sciences related to the investigation of digital
devices and media. Within the field a number of "normal" forensics words are re-purposed,
and new specialist terms have evolved.
Digital media: Used within the fields to refer to the physical medium (such as a hard drive)
or data storage device.
43
Documentation: Written notes, audio-tapes, videotapes, disc, printed forms, sketches, and
photographs that form a detailed record of the scene, evidence recovered, and actions
taken during the search of the crime scene.
Duplicate: An accurate digital reproduction of all data contained on a digital storage device
(e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip, Jaz). Maintains contents and
attributes (e.g., bit stream, bit copy, and sector dump).
EA2011: Nigerias Evidence Act, 2011.
e-discovery or eDiscovery: A common acronym for electronic discovery.
Exhibit: Digital media seized for investigation is usually referred to as an "exhibit".
Hashing: Within the field, "hashing" refers to the use of hash functions (e.g. SHA1,
SHA256 or MD5) to verify that an "image" is identical to the source media.
High-technology crime: Criminal offenses that involve computer technology, including
computer crimes, computer-related crimes, and Internet-related crimes.
Image: A duplicate copy of some digital media created as part of the forensic process.
Imaging: Synonym of "acquisition"
ISP: Internet service provider. ISPs are organizations that provide subscribers with access
to the Internet. Small ISPs provide service via modem and ISDN (Integrated Services
Digital Network), while the larger ones also offer private line hookups (e.g., T1, fractional
T1).
Live Forensics or Live Analysis: Analysis of a piece of digital media from within itself;
often used to acquire data from RAM where this would be lost upon shutting down the
device.
Metadata: Data about data.
Network: A group of computers connected to one another to share information and
resources.
Server: A computer that provides some service for other computers that are connected to it
via a network.
Slack Space: The unused space at the end of a file in a file system that uses fixed size
clusters (so if the file is smaller than the fixed block size then the unused space is simply
left). Often contains deleted information from previous uses of the block.
Sniffer: Software that monitors network packets and can be used to intercept data
including passwords, credit card numbers, etc.
Standards for Digital and Computer Forensics in Nigeria Draft v0.2
44
Steganography: The word steganography comes from the Greek name steganos
(hidden or secret) and graphy (writing or drawing) and literally means hidden writing.
Steganography uses techniques to communicate information in a way that is hidden.
Trier of fact: The person or persons who decide the facts in legal cases. In a jury trial the
jury is the trier of fact. When there is no jury (sometimes called a bench trial or trial to the
court), the judge is the trier of fact. With or without a jury, it is the judge who determines
the law in a case.
Unallocated Space: Clusters of a media partition not in use for storing any active files.
They may contain pieces of files that were deleted from the file partition but not removed
from the physical disk
URL: Universal Resource Locator.
Verification: A term used to refer to the hashing of both source media and acquired image
to verify the accuracy of the copy.
Write Blocker: The common name used for a forensic disk controller, hardware used to
access digital media in a read only fashion.
45
SELECTED REFERENCES
Association of Chief Police Officers (ACPO), Good Practice Guide for Computer-Based
Electronic Evidence. (Official release version). (www.acpo.police.uk)
Federal Republic of Nigeria.
Evidence Act, 2011 (HB. 214).
Greg Dominguez.
Equipping A Forensic Lab. Techno Forensics 2007
National Institute for Standards and Technology (NIST).
Guide to Integrating Forensic Techniques into Incident Response. Special
Publication 800-86.
Olayiwola, Peter O.
Digital Forensics in the Investigation and Prosecution of Criminal Cases, A Paper
presented at the Commonwealth National Workshop for Prosecutors and Investigators
on Money Laundering, Terrorism and the Financing and Recovery of Proceeds of Crime,
at Sheraton Hotel, Abuja, Nigeria, 15th-18th January, 2013.
Olayiwola, Peter O.
Evidence Collection and Crime Scene Documentation. A Paper presented at the
First West African Digital & Computer Forensics Conference (Theme: Digital Forensics:
Antidote to High-Tech Crimes in West Africa) held at the International Conference
Centre, Abuja, Nigeria, 18th April 2012.
U.S. Department of Justice, Office of Justice Programs, National Institute of Justice,
Forensic Laboratories: Handbook for Facility Planning, Design, Construction, and
Moving.
U.S. Department of Justice, Office of Justice Programs, National Institute of Justice,
46