Guide to Computer

Forensics
and Investigations
Fourth Edition
Chapter 1
Computer Forensics and Investigations as a Profession

Professor: Dr. Maryam Ahmed

 Define computer forensics

Describe how to prepare

for computer

Objectives
investigations and explain
the difference between
law enforcement agency
and corporate
investigations

Explain the importance of

maintaining professional
conduct
 Scenario
Read Chapter 1:
Introduction 1: (live Lab 1: CLO 1.1 -
1 Introduction to
to Forensics lesson) (3%) 1 1.3
Forensics

Syllabus
 Computer forensics

• Involves obtaining and

analyzing digital information
Understandin • As evidence in civil, criminal,
g Computer or administrative cases
FBI Computer Analysis
Forensics and Response Team
(CART)
• Formed in 1984 to handle the
increasing number of cases
involving digital evidence
 FBI
CART
Website
NC3
Understanding
Computer Forensics
(continued)

• Fourth Amendment to the

U.S. Constitution
• Protects everyone’s rights
to be secure in their
person, residence, and
property
• From search and
seizure
• Search warrants are
needed
Understanding
Computer Forensics
(continued)

• Section 8 guarantees that

"Everyone has the right to
be secure against
unreasonable search or
seizure."
 Computer forensics

• Investigates data that can be

retrieved from a computer’s
hard disk or other storage media

Computer Network forensics

Forensics • Yields information about how a
Versus perpetrator or an attacker
gained access to a network
Other
Related Data recovery
Disciplines • Recovering information that was
deleted by mistake
• Or lost during a power surge or
server crash
• Typically you know what you’re
looking for
 Computer forensics
Task of recovering data
Evidence can be
that users have hidden or inculpatory
deleted and using it as (“incriminating”) or
evidence exculpatory

Computer
Forensics
Versus Other
Disaster recovery
Related Uses computer forensics techniques to retrieve

Disciplines information their clients have lost

(continued)
Investigators often work as a
team to make computers and
networks secure in an
organization
 Computer
Forensics
Versus Other
Related
Disciplines
(continued)
 Enterpris
Large corporate computing systems
e network
that might include disparate or
environm
formerly independent systems
ent

Computer
Forensics
Versus Other
Related
Disciplines
(continued) Vulnerabil Tests and verifies the integrity of
ity standalone workstations and network
assessme servers
nt and
risk Professionals in this group have skills
managem in network intrusion detection and
ent group incident response
 Computer • Litigation
• Legal process of proving guilt or
Forensics innocence in court
Versus Other • Computer investigations group
Related • Manages investigations and
conducts forensic analysis of
Disciplines systems suspected of containing
evidence related to an incident or
(continued) a crime
History of
Computer
Forensics
 By the 1970s,
electronic crimes were
increasing, especially
in the financial sector
• Most law enforcement
officers didn’t know
enough about computers
to ask the right questions

A Brief
History of 1980s

Computer 1970s

Forensics
PCs gained popularity
and different OSs
emerged
Disk Operating System
(DOS) was available
Forensics tools were
simple, and most were
generated by
government agencies
A Brief History of Computer
Forensics (continued)

Mid-1980s 1987
• Xtree Gold appeared on • Apple produced the Mac
the market SE
• Recognized file types • A Macintosh with an
and retrieved lost or external EasyDrive hard
deleted files disk with 60 MB of
• Norton DiskEdit soon storage
followed
• And became the best
tool for finding deleted
file
 A Brief
History of
Computer
Forensics
(continued)
 A Brief
History of
Computer
Forensics
(continued)
A Brief History of
Computer Forensics
(continued)

• Early 1990s
• Tools for computer forensics
were available
• International Association of
Computer Investigative
Specialists (IACIS)
• Training on software for
forensics investigations
• IRS created search-warrant
programs
• ExpertWitness for the Macintosh
• First commercial GUI
software for computer
forensics
• Created by ASR Data
 Early 1990s (continued)
ExpertWitness for the Macintosh
• Recovers deleted files and fragments of deleted files

A Brief
History of Large hard disks posed
Computer problems for
Forensics investigators
(continued)
Now
iLook EnCase AccessData
• Maintained by the IRS, • Available for public or Forensic Toolkit
limited to law private use (FTK)
enforcement • Available for public or
private use
Comput
er
Forensi
cs Tools
Most Important
Commercial Forensic
Software Today

• EnCase
• link Ch 1a on my Web
page
• Go to Samsclass.info,
then click CNIT 121
• FTK
• Link Ch 1b
• Free demo version (we
will use it in this class)
 • Linux-based
Open • Knoppix Live CDs
• Helix
Source • Ubuntu

Forensic • SANS Sift

• Backtrack (Kali, and Kali Purple)
Tools • Not commonly used as the main tool,
but for special purposes
 Laws
and
Resourc
es
 Technology is Existing laws
and statutes
evolving at an can’t keep up
exponential pace change

Case law used when statutes or

regulations don’t exist

Understandin
g Case Law Case law allows
legal counsel to Because the
use previous cases laws don’t
yet exist
similar to the
current one

Each case is evaluated on its

own merit and issues
 You must know more than one
Such ascomputing platform
DOS, Windows 9x, Linux,
Macintosh, and current Windows
platforms

Developin
g
Computer Join as many computer user groups as
you can

Forensics
Resources
Computer Technology
Investigators Network (CTIN)
Meets monthly to discuss problems
that law enforcement and
corporations face
Developing Computer Forensics
Resources (continued)

• High Technology Crime

Investigation Association (HTCIA)
• Exchanges information about
techniques related to computer
investigations and security
• User groups can be helpful
• Build a network of computer forensics
experts and other professionals
• And keep in touch through e-mail
• Outside experts can provide detailed
information you need to retrieve digital
evidence
 Public and
Private
Investigatio
ns
Preparing for Computer
Investigations

Computer
investigations and
Law of search and
forensics falls into Public investigations
seizure
two distinct
categories
• Public investigations • Involve government • Protects rights of all
• Private or corporate agencies people, including
investigations responsible for suspects
criminal
investigations and
prosecution
• Organizations must
observe legal
guidelines
Preparing for
Computer
Investigation
s (continued)
Preparing for
Computer
Investigation
s (continued)
 Private or corporate
companies, non-law-investigations policies that define
Deal with private Governed by internal
Aren’t governed directly
by criminal law or
enforcement expected employee
Fourth Amendment
government agencies, behavior and conduct in
issues
and lawyers the workplace

Preparing
for
Computer Private corporate
investigations also involve
Investigatio litigation disputes
ns
(continued)
Investigations are usually
conducted in civil cases
 Law
Enforcemen
t Agency
Investigatio
ns
 In a criminal case, a suspect is tried for
a criminal offense
Such as burglary, murder, or molestation

Understandin
g Law Computers and networks are sometimes
Enforcement only tools that can be used to commit
Many states have added specific language to
crimes
Agency criminal codes to define crimes involving
computers, such as theft of computer data
Investigations

Following the legal process

Legal processes depend on local custom,

legislative standards, and rules of evidence
Understanding Law
Enforcement Agency
Investigations
(continued)

• Following the legal process

(continued)
• Criminal case follows
three stages
• The complaint,
the investigation,
and the
prosecution
 • Following the legal process (continued)
• A criminal case begins when
someone finds evidence of an
illegal act
Understandin • Complainant makes an
allegation, an accusation or
g Law supposition of fact
Enforcement • A police officer interviews the
complainant and writes a report
Agency about the crime
Investigations • Police blotter provides a
record of clues to crimes that
(continued) have been committed
previously
• Investigators delegate, collect, and
process the information related to
the complaint
 Police
Blotter

Link Ch 1c
 • Following the legal process (continued)
• After you build a case, the
information is turned over to the
prosecutor
Understandin • Affidavit
g Law • Sworn statement of support of
facts about or evidence of a
Enforcement crime
Agency • Submitted to a judge to
request a search warrant
Investigations • Have the affidavit notarized
(continued) under sworn oath
• Judge must approve and sign a
search warrant
• Before you can use it to collect
evidence
Understandin
g Law
Enforcement
Agency
Investigation
s (continued)
 Corporate
Investigatio
ns
 Private or corporate
investigations
• Involve private companies
and lawyers who address
company policy violations
and litigation disputes
Understandin Corporate computer
g Corporate crimes can involve:
Investigations • E-mail harassment
• Falsification of data
• Gender and age
discrimination
• Embezzlement
• Sabotage
• Industrial espionage
 Establishing company policies
• One way to avoid litigation is to publish and maintain policies
that employees find easy to read and follow
Establis • Published company policies provide a line of authority
• Well-defined policies
hing

Understandin
g Corporate
Investigations
(continued)
Displaying Warning Banners
• Another way to avoid litigation

Displayi
ng
 • Displaying Warning Banners
(continued)
• Warning banner
• Usually appears when a
computer starts or connects to
the company intranet,
network, or virtual private
Understandin network
• Informs end users that the
g Corporate organization reserves the right
to inspect computer systems
Investigations and network traffic at will
(continued) • Establishes the right to
conduct an investigation
• Removes expectation of
privacy
• As a corporate computer
investigator
• Make sure company displays
well-defined warning banner
Understandin
g Corporate
Investigation
s (continued)
  Designating an authorized requester
 Authorized requester has the
power to conduct investigations
 Policy should be defined by
executive management
Understandin  Groups that should have direct
g Corporate authority to request computer
investigations
Investigations  Corporate Security Investigations
(continued)  Corporate Ethics Office
 Corporate Equal Employment
Opportunity Office
 Internal Auditing
 The general counsel or Legal
Department
 • Conducting security investigations
• Types of situations
• Abuse or misuse of corporate
assets
• E-mail abuse
Understandin • Internet abuse
g Corporate • Be sure to distinguish between a
Investigations company’s abuse problems and
potential criminal problems
(continued) • Corporations often follow the
silver-platter doctrine
• What happens when a civilian
or corporate investigative
agent delivers evidence to a
law enforcement officer
 • Distinguishing personal and company
property
• Many company policies distinguish
between personal and company
computer property
Understandin • One area that’s difficult to
distinguish involves PDAs, cell
g Corporate phones, and personal notebook
Investigations computers
• The safe policy is to not allow any
(continued) personally owned devices to be
connected to company-owned
resources
• Limiting the possibility of
commingling personal and
company data
Profession
al Conduct
 ProfessionalIncludes
conductethics, morals,
Determines your
and standards of
credibility
behavior

Maintainin Maintaining objectivity means you must form and

sustain unbiased opinions of your cases

g
Profession
al Conduct Maintain an investigation’s credibility by keeping the
case confidential
In the corporate environment, confidentiality is
critical

In rare instances, your corporate case might become a

criminal case as serious as murder
 Enhance your professional
conduct by continuing your
training

Record your fact-finding

methods in a journal
Maintaining
Professiona Attend workshops,
conferences, and vendor
l Conduct courses

(continued) Membership in professional

organizations adds to your
credentials

Achieve a high public and

private standing and
maintain honesty and
integrity
 Applying
the Daubert
Standard to
Forensic
Evidence
 • The Daubert standard is a set of

The
guidelines used by US federal courts to
determine the admissibility of scientific
and technical evidence, including
Daubert forensic evidence. It was established
by the US Supreme Court in 1993 in
standard the case of Daubert v. Merrell Dow
Pharmaceuticals, Inc., and has since
been adopted by many states as well.
 Court • In Daubert and later cases2, the Court
explained that the federal standard
Acceptanc includes general acceptance, but also
looks at the science and its
e of application. Trial judges are the final
arbiter or “gatekeeper” on
Expert admissibility of evidence and
acceptance of a witness as an expert
Testimony within their own courtrooms.
 In deciding if the science and the
expert in question should be
permitted, the judge should consider:

What is the basic theory and has it

been tested?

Court
Acceptance Are there standards controlling the
technique?

of Expert
Has the theory or technique been
Testimony subjected to peer review and
publication?
(Cont.)
What is the known or potential error
rate?

Is there general acceptance of the

theory?
 Has the expert adequately accounted for
alternative explanations?

Court Has the expert unjustifiably extrapolated from an

Acceptance accepted premise to an unfounded conclusion?

of Expert
Testimony The Daubert Court also observed that concerns
over shaky evidence could be handled through

(Cont.)
vigorous cross-examination, presentation of
contrary evidence and careful instruction on the
burden of proof.

In many states, scientific expert testimony is now

subject to this Daubert standard. But some states
still use a modification of the Frye standard.
 1. Computer forensics is the process of obtaining and analyzing digital
information as evidence in civil, criminal, or administrative cases.

2. Computer forensics investigations involve the recovery and analysis of

data from a computer's hard disk or other storage media, as well as
network forensics to determine how an attacker gained access to a
network.

Conclusio 3. The legal process for computer investigations and forensics depends on
local custom, legislative standards, and rules of evidence, and is typically

n
governed by the Fourth Amendment to the US Constitution, which
protects individuals from unreasonable searches and seizures.

4. Corporate investigations involve private companies and lawyers who

address company policy violations and litigation disputes, and often
require the establishment of company policies, warning banners, and the
designation of authorized requesters to conduct investigations.

5. To maintain professional conduct, computer forensic investigators must

adhere to ethical and moral standards, maintain objectivity, continue their
training, and achieve a high public and private standing through honesty
and integrity. The admissibility of expert testimony in computer forensics
is subject to the Daubert standard, which considers factors such as the
theory's basic testing, control standards, peer review, error rates, and
general acceptance within the scientific community.
 Read Chapter
1

Home Discussion
Work Board

Lab 1