Chapter 2 - Understanding Computer Investigations
Chapter 2 - Understanding Computer Investigations
and Investigations
Fourth Edition
Chapter 2
Understanding Computer
Investigations
Objectives
1. Preservation
•Preservation stage corresponds to “freezing the
crime scene".
•It consists in stopping or preventing any activities
that can damage digital information being collected.
•Preservation involves operations such as preventing
people from using computers during collection,
stopping ongoing deletion processes, and choosing
the safest way to collect information.
Investigative Process
2. Collection
•Collection stage consists of finding and collecting digital
information that may be relevant to the investigation.
Since digital information is stored in computers, collection
of digital information means either collection of the
equipment containing the information, or recording the
information on some medium.
•Collection may involve removal of personal computers
from the crime scene, copying or printing out contents of
files from a server, recording of network traffic, and so on.
Investigative Process
3. Examination
•Examination stage consists in an “in-depth
systematic search of evidence" relating to the incident
being investigated.
•The output of examination are data objects found in
the collected information.
•They may include log files, data files containing
specific phrases, timestamps, and so on.
Investigative Process
4. Analysis
•The aim of analysis is to “draw conclusions based on
evidence found".
An Overview of a Computer Crime
• Computers can contain information that helps law
enforcement determine:
– Chain of events leading to a crime
– Evidence that can lead to a conviction
• Law enforcement officers should follow proper
procedure when acquiring the evidence
– Digital evidence can be easily altered by an
overeager investigator
• Information on hard disks might be password
protected
Examining a Computer Crime
An Overview of a Company Policy
Violation
• Steps (continued)
– Place surveillance systems
– Discreetly gather any additional evidence
– Collect all log data from networks and e-mail servers
– Report regularly to management and corporate
attorneys
– Review the investigation’s scope with management
and corporate attorneys
Interviews and Interrogations in High-
Tech Investigations
• Connects a hard
drive in trusted
read-only mode
• There are also
Linux boot CDs
that mount all
drives read-only,
such as Helix and
some Knoppix
distributions
Setting Up your Computer for
Computer Forensics
• Basic requirements
– A workstation running Windows XP or Vista
– A write-blocker device
– Computer forensics acquisition tool
• Like FTK Imager
– Computer forensics analysis tool
• Like FTK
– Target drive to receive the source or suspect disk data
– Spare PATA or SATA ports
– USB ports
Setting Up your Computer for
Computer Forensics (continued)