Scribd
Upload
113 views

Module 03 Computer Investigation Process

Uploaded by

Pakito Abu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
113 views

Module 03 Computer Investigation Process

Uploaded by

Pakito Abu
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 28

Computer Hacking

Forensic Investigator

Module III
Computer Investigation
Process
Scenario

Jim works as a technical resource


developer in a reputed firm. As he was not
meeting his deadlines Jim started working
late hours.
The extra effort put in by Jim did not
produce any results and his Project
manager got suspicious about his
activities.

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Module Objective

~ Investigating methodology
~ Evaluating the case
~ Investigation plan
~ Importance of data-recovery workstations and
software
~ Implementing an investigation
~ Collecting the evidence
~ Closing the case
~ Case evaluation
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Module Flow

Investigating methodology Evaluating the case

Importance of data-recovery
Investigation plan
workstations and software

Implementing an investigation Collecting evidence

Case evaluation Closing the case

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Investigating Computer Crime

~ Determine if there has been an


incident
~ Find and interpret the clues left
behind
~ Do preliminary assessment to
search for the evidence
~ Search and seize the computer
equipments

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Investigating a Company Policy
Violation

~All employees of the company should be


informed of the company policy
~Employees using company’s resources for
personal use not only waste company’s time
and resources but they also violate company
policy
~Such employees should be traced and
educated about the company policy
~If the problem persists,action should be taken

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Investigation Methodology
Initial assessment
about the case

Prepare a
detailed design

Determination of
the required resources

Identify the
risk involved

Investigate the
data recovered

Completion of
case report

Critique the case


Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Evaluating the Case

~ The case can be assessed in the following


manner :
• Situation of the case
• Nature of the case
• Specifics about the case
• Type of evidence
• Operating system used by the suspect
• Known disk format
• Location of evidence
• The motive of the suspect
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Before the Investigation

~ Following points should be kept in mind before


starting the investigation:

• Have skilled professionals


• Work station and data recovery lab
• Alliance with a local District Attorney
• Define the methodology

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Document Everything

~ Document the hardware


configuration of the system
~ Document the system date and time
~ Document file names, dates, and
times
~ Document all findings

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Investigation Plan

~ Following points need to be considered


while planning:
• Good understanding of the technical, legal,
and evidentiary aspects of computers and
networks
• Proper methodology
• Steps for collecting and preserving the
evidence
• Steps for performing forensic analysis

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Obtain Search Warrant

~ Executes the investigation


~ To carry out an investigation a search warrant
from a court is required
~ Warrants can be issued for:
• Entire company
• Floor
• Room
• Just a device
• Car
• House
• Any Company Property
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Warning Banners

~ Flashes at the point


of access
~ Warns both
authorized and
unauthorized users
~ Unauthorized usage
of the banner policy
makes it easier to
conduct investigation
~ Employees working
are warned about the
consequences if the
companies policies
are violated

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Shutdown the Computer

~ During a crime scene, should the computer be shutdown and


unplugged to collect evidence?
• Case dependant
• Incase of ddos attack the system must be unplugged and then
shutdown
• Operating system’s internal memory process handles, open
files, open ports, open connections are recorded before
unplugging the computer
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Collecting the Evidence

~ The following steps are performed to collect the


evidence:
• Find the evidence
• Discover the relevant data
• Prepare an Order of Volatility
• Eradicate external avenues of alter
• Gather the evidence
• Prepare chain of custody

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Chain-of Evidence Form

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Confiscation of Computer Equipments

~ Sterilize all the media to be used in the


examination process
~ Enter the crime scene, take snapshot of the
scene and then carefully scan the data
sources
~ Retain and document the state and
integrity of items at the crime scene
~ Transport the evidence to the forensic
facility

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Preserving the Evidence

~ Evidence for a case may


include an entire computer
and associated media
~ Collect computer evidence
in anti-static bags, anti-static
pad with an attached wrist
strap
~ Store the evidence in an
environment having pre-
specified temperature and
humidity

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Importance of Data-recovery
Workstations and Software

~ Data-recovery lab – a place where


investigations are conducted and all the
equipment and software are kept
~ Computer- forensic Workstation – a
workstation set up to allow copying evidence
with the help of various preloaded software
ready-to-use

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Configuring Windows 98 Workstation
to Boot into MS-DOS
~ Initiate Windows 98 and run command
prompt.
~ Type msconfig and click Ok button.
~ Select startup settings on the General Tab.
~ Click Advanced button.
~ Click the Enable Startup Menu check box.
~ Click OK to close the Advanced
Troubleshooting Settings.
~ Close the System Configuration Utility window.

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
To Add a command to the MSDOS.SYS
File

Changing
setting
to 59

Changing
setting
to 59
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Implementing an Investigation

~ The items that may be needed are:


• Evidence Form
• Original evidence
• Evidence bag that is used as evidence container
• Bit-stream imaging tool
• Forensic workstation to copy and examine the
evidence
• Secure evidence container

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Understanding Bit-stream Copies

0101010101010

Transfer of data from original media to image disk

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Imaging the Evidence Disk

~ Capture an accurate image of the system as


soon as possible.
~ The forensic copy can be created using various
techniques such as:
• Using MS-DOS to create bit- stream copy of a floppy
disk / Hard disk
• Using Imaging software to acquire bit-stream copy of
floppy disk / Hard disk

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Examining the Digital Evidence

~ Analysis can be carried out


using various forensic
analysis tool such EnCase,
AccessData etc.

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Closing the Case
~ The investigator should include what was
done and results in the final report
~ Basic report includes: who,what,when,where
and how
~ In a good computing investigation the steps
can be repeated and the result obtained are
same every time
~ The report should explain the computer and
network processes
~ Explanation should be provided for
various processes and the inner working
of the system and its various
interrelated components
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Case Evaluation

~ The investigator should evaluate the case


by asking the following questions:
• How could the he improve his participation in
the case?
• Did he use new techniques during the case?
• Did he discover new problems ?If yes,when
,why and what were the problems?
• What kind of feedback did he receive from
requesting source?
• Was there a match between his expectation
from the case and the final outcome?

Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited
Summary

~ Take a systematic approach to the


investigations
~ Take into account the nature of the
case,instruction, and tools while planning the
case
~ Apply standard problem-solving techniques
~ Always maintain a journal to make notes of
everything
~ Create bit-stream copies of files using either the
Diskcopy DOS utility or the Image tool
Copyright © by EC-Council
EC-Council All rights reserved. Reproduction is strictly prohibited

You might also like