Scribd
Upload
8 views

Module 1_Forensic Process

Computer forensics involves examining digital media to identify, preserve, recover, analyze, and present evidence related to crimes involving computers. The forensic process consists of three main parts: acquisition, analysis, and reporting, while ensuring legal authority and maintaining chain of custody are crucial. Analysts must approach investigations without bias, considering both inculpatory and exculpatory evidence.

Uploaded by

Alan Chen
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views

Module 1_Forensic Process

Computer forensics involves examining digital media to identify, preserve, recover, analyze, and present evidence related to crimes involving computers. The forensic process consists of three main parts: acquisition, analysis, and reporting, while ensuring legal authority and maintaining chain of custody are crucial. Analysts must approach investigations without bias, considering both inculpatory and exculpatory evidence.

Uploaded by

Alan Chen
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 21

ITSC 306:

Computer
Forensics
Module 1: Forensic Process
Definition

Computer forensics is a branch of digital forensic science


pertaining to evidence found in computers and digital
media. The goal of computer forensics is to examine
digital media in a forensically sound manner with the aim
of identifying, preserving, recovering, analyzing and
presenting facts and opinions about the digital
information.

(Computer forensics, n.d.)

© 2017, Southern Alberta Institute of Technology 2


Computer Involvement in a Crime

• Three ways a computer becomes involved in an


investigation:
1. The computer as the target of a crime
 For example, an intrusion investigation
2. The computer as an instrument in a crime
 For example, accessing or distributing child pornography
3. The computer holds evidence of a traditional crime:
 For example, email between two subjects planning a crime

© 2017, Southern Alberta Institute of Technology 3


Scientific Method

1. Observation and description of a behaviour


2. Formulation of hypothesis to explain the behaviour
3. Test the hypothesis
4. Accept, reject or modify the hypothesis

© 2017, Southern Alberta Institute of Technology 4


Computer Forensics - Art vs. Science

• Computer Forensics is part science and part art


◦ Science
 Follows the scientific method
 Passes the Daubert or Frye test for admissibility of scientific evidence
used in American courts
◦ Art
 Dependent on the type of investigation and experience of the
investigator

© 2017, Southern Alberta Institute of Technology 5


Forensic Process

• Although many have tried, there has never been a


universally accepted forensic process model
◦ One reason is the multitude of environments involved,
including:
 Law enforcement
 Incident response
 Government
 Business
 Civil vs. criminal considerations
• Process comes down to three parts:
1. Acquisition
2. Analysis
3. Reporting
© 2017, Southern Alberta Institute of Technology 6
Inculpatory vs. Exculpatory

• As a forensic analyst, you should not go into an


investigation with a pre-determined outcome.
◦ Inculpatory: Evidence which implies the guilt of a subject
◦ Exculpatory: Evidence which implies the innocence of a
subject
• It is imperative that you present both sides of the
evidence and let the court decide on the evidence.

© 2017, Southern Alberta Institute of Technology 7


Have a Plan

• Have a plan before you start the analysis:


◦ What are you investigating?
◦ Where will the evidence be located?
◦ Which tools will you use?
◦ How quickly do you require results?
◦ What are the expected results?
• Don’t deviate from the plan
• Don’t chase the shiny object

© 2017, Southern Alberta Institute of Technology 8


Arrival on the Scene

• Keep notes of everything you do and learn as an


investigator, with dates and times recorded.
• Clear the area and get everyone away from the
keyboards.
• Photograph the area around the computer.
• Photograph the computer monitor and note if the
system is running when you arrive, as this determines
your next steps.

© 2017, Southern Alberta Institute of Technology 9


Acquisition of Evidence

◦ Goal: interact with the evidence as little as possible


◦ Law enforcement in 1980s/1990s trained to pull the
plug from the back of the computer upon arrival at the
scene
◦ Realized that volatile information was being lost, so
changed the process to live response on the system
before pulling the plug
◦ Imaging of the evidence should be conducted in your
controlled lab space
◦ Is there reason to believe the drive may be encrypted?

© 2017, Southern Alberta Institute of Technology 10


Moving the Evidence to the Lab

• Make sure you take everything you will need to


conduct the examination
◦ Power cables for laptops/cell phones
◦ Any proprietary cables
• Package the equipment carefully to prevent damage
• Avoid electrical fields (such as the radio in the trunk of
a police car)
• Retain custody of the evidence until you can store it in
your lab evidence locker (chain of custody)
• Keep notes of what you have done

© 2017, Southern Alberta Institute of Technology 11


At the Lab

• Log the evidence into the lab evidence locker (CoC)


• Photograph the evidence
• Take note of metadata
◦ Size of drive
◦ Make, model and serial number
◦ System date and time (from System BIOS)
• Image the drive using write-blocking technology (one
image for your workstation to analyze and one image
to a server for storage)
• Put the original evidence back in the lab evidence
locker
© 2017, Southern Alberta Institute of Technology 12
Analysis

• Open Source vs. Commercial


Open Source Commercial
Sleuthkit EnCase
RegRipper Forensic Toolkit Registry Viewer

• Forensic Suites vs. Target-Specific Tools

Forensic Suites Target-Specific Tools


EnCase Internet Evidence Finder
Forensic Explorer Cellebrite
Axiom Mount Image Pro

© 2017, Southern Alberta Institute of Technology 13


Legal Implications

• Always assume you will be taking the evidence to court


• Chain of custody is important
• Typically, electronic evidence is corroborative evidence
• Often the goal is to put a person behind the keyboard
• Legal Counsel
◦ When working for legal counsel, the analysis is work product
and not discoverable without a court order (client/solicitor
privilege)

© 2017, Southern Alberta Institute of Technology 14


Legal Authority to Examine Evidence

• Before you start your investigation you need to ensure


you have the legal authority to examine the evidence.
◦ Law enforcement: Have a search warrant or the owner’s
informed consent
 Informed consent means knowing the implications of having the
evidence examined and the possibility of being charged with a criminal
offense.
◦ Corporate: More difficult to establish. Consider the following:
 Is the item the property of the corporation?
 Are there any expectations of privacy on the part of the system users?
 Is there a login banner indicating no expectation of privacy on the part
of the user that needs to be acknowledged prior to system usage?

© 2017, Southern Alberta Institute of Technology 15


Locard’s Exchange Principle

“In Forensic science, Locard’s exchange principle


(sometimes simply Locard’s principle) holds that the
perpetrator of a crime will bring something into the
crime scene and leave with something from it, and that
both can be used as forensic evidence. Dr. Edmond
Locard (13 December 1877 – 4 May 1966) was a pioneer
in forensic science…”

(Locard’s exchange principle, n.d.)

© 2017, Southern Alberta Institute of Technology 16


Physical Limitations - System Imaging

• Be aware of encryption (an imaged encrypted drive is


still an encrypted drive)
◦ May require corporate keys to unlock the drive
◦ Try to obtain any user passwords
• Drives can fail
◦ May require a data recovery lab
• You may require adapters to connect the target drive
to the imaging system
◦ Legacy equipment may be hard to connect to your imaging
system

© 2017, Southern Alberta Institute of Technology 17


Physical Limitations - System Imaging

• Location may become an issue if you have to complete


your image over a network connection.
◦ May need be more surgical and pick what you suspect are the
important files to the investigation and not collect unallocated
space
• Size of the hard drive may become an issue
• International borders may cause an issue: what can be
legally transferred outside of the country
• Cloud storage may make it difficult to access the data
• Internet of Things: How do you image a thermostat?

© 2017, Southern Alberta Institute of Technology 18


Summary

• Computer evidence is becoming more pervasive in


judicial hearings
• Forensic process: Acquisition, analysis and reporting
• Don’t be afraid to use open source tools as well as
commercial tools
• Important: Ensure you have the legal authority to
examine the evidence

© 2017, Southern Alberta Institute of Technology 19


References

• Computer forensics. Retrieved Sep. 27, 2017 from


Wikipedia:
https://en.m.Wikipedia.org/wiki/Computer_forensics
• Locard’s exchange principle. Retrieved Sep. 27, 2017
from Wikpedia:
https://en.wikipedia.org/wiki/Locard%27s_exchange_pri
nciple

© 2017, Southern Alberta Institute of Technology 20


© 2017, Southern Alberta Institute of Technology. All rights reserved.
This publication and materials herein are protected by applicable intellectual property laws. Unauthorized reproduction and distribution of this publication in whole or
part is prohibited.

For more information, contact:


Director, Centre for Instructional Technology and Development
Southern Alberta Institute of Technology
1301 16 Ave. N.W., Calgary, AB T2M 0L4

You might also like