Computer Forensics Investigation Process Guide

Module II - Computer Forensics
Investigation Process

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Howard Eisemann, CEO of Able
Forensic Investigations Announces New
TSCM Investigative Section
Source: http://www.webwire.com/

EC-Council
Module Objective
• Investigating Computer Crime
• Steps to Prepare for Computer Forensic Investigation
• Investigation Process
• Assess the Situation
• Acquire the Evidence
• Analyze the Evidence
• Evidence Management
• Report the Investigation
• Present the Evidence to Court
This module will familiarize you with:

EC-Council
Module Flow
Investigating
Computer Crime
Acquire the Evidence Assess the Situation
Present the Evidence to
Court
Report the Investigation
Evidence ManagementAnalyze the Evidence
Steps to Prepare for a Computer
Forensic Investigation

EC-Council
Investigating Computer Crime
Determine if an incident has occurred
Find and interpret the clues left behind
Conduct preliminary assessment to search for the
evidence
Search and seize the computer’s equipment
Collect evidence that can be presented in the court of
law or at a corporate inquiry

EC-Council
Before the Investigation
• Have work station and data recovery lab
• Build Investigating Team
• Enter into alliance with a local District Attorney
• Review Policies and Laws
• Notify Decision Makers and Acquire Authorization
• Assess Risks
• Build a Computer Investigation Toolkit
• Define the methodology
Before starting the investigation,
make sure you:

EC-Council
Build a Forensics Workstation
• Support hardware-based local and remote network
drive duplication
• Validate the image and the file’s integrity
• Identify the date and time when the files have been
modified, accessed, or created
• Identify the deleted files
• Support the removable media
• Isolate and analyze free drive space
The computer forensics workstation
should have facilities and tools to:
Computer forensics approach should be clearly defined before building
the forensic work station

EC-Council
Forensics Workstation

EC-Council
Building the Investigation
Team
Determine the person who should respond to an incident for a successful
internal computer investigation
Identify team members and assign the responsibility to each team member
Assign one team member as the technical lead for the investigation
Keep the investigation team as small as possible to ensure confidentiality and
to protect the organization against unwanted information leaks
Ensure that every team member has the necessary clearance and authorization
to conduct assigned tasks
Engage a trusted external investigation team if your organization does not have
personnel with the necessary skills

EC-Council
People Involved in Computer
Forensics
• Gives legal adviceAttorney:
• Photographs the crime scene and
the evidence gathered
Photographer:
• Responsible for the measures to be
taken when an incident occurs
Incident
Responder:
• Responsible for authorization of a
policy or procedure for the
investigation process
Decision Maker:

EC-Council
People Involved in Computer
Forensics (cont’d)
• Analyzes the incidents based on their occurrenceIncident Analyzer:
• Examines the evidence acquired and sorting the
useful evidence
Evidence
Examiner/Investigator:
• Documents all the evidence and the phases present
in the investigation process
Evidence Documenter:
• Manages the evidence in such a way that they are
admissible in the court of law
Evidence Manager:
• Offers a formal opinion as a testimony in the court
of law
Expert Witness:

EC-Council
Review Policies and Laws
It is essential to understand the laws that apply to the investigation including
the internal organization policies before starting the investigation process
Identify possible concerns related to applicable Federal statutes (such as the
Electronic Communications Privacy Act of 1986 (ECPA) and the Cable
Communications Policy Act (CCPA), both as amended by the USA PATRIOT
ACT of 2001, and/or the Privacy Protection Act of 1980 (PPA)), State statutes,
and local policies and laws
• Determine the extent of the authority to search
• Determine the legal authorities for conducting an investigation
• Consult with a legal advisor with issues raised for any improper handling
of the investigation
• Ensure the customer’s privacy and confidentiality
The best practices in reviewing policies and laws include:

EC-Council
Forensics Laws
18 USC §1029. Fraud and related activity in connection with
access devices
18 USC §1030. Fraud and related activity in connection with
computers
18 USC §1361-2 - Prohibits malicious mischief
Rule 402. Relevant Evidence Generally Admissible; Irrelevant
Evidence Inadmissible
Rule 901. Requirement of Authentication or Identification
Rule 608. Evidence of Character and Conduct of Witness
Rule 609. Impeachment by evidence of conviction of crime

EC-Council
Forensics Laws (cont’d)
Rule 502. Attorney-Client Privilege and Work Product;
Limitations on Waiver
Rule 614. Calling and Interrogation of Witnesses by Court
Rule 701. Opinion Testimony by Lay Witnesses
Rule 705. Disclosure of Facts or Data Underlying Expert Opinion
Rule 1002. Requirement of Original
Rule 1003. Admissibility of Duplicates

EC-Council
Notify Decision Makers and
Acquire Authorization
• Obtain the authorization from an authorized decision maker to conduct the
investigation
• Document all the events and decisions that occurred during the incident and incident
response
• Depending on the scope of the incident and absence of any national security issues or
life safety issues, the first priority is to protect the organization from further harm
Best practices to get authorization include:
Decision makers are the people who implements policies and procedures for handling an
incident
Notify the decision maker to be authorized when there is no written incident response
policies and procedures
After the authorization, assess the situation and define the course of action

EC-Council
Risk Assessment
Identify the incident and the problems caused by it
Characterize the incident according to its severity
Determine the data loss or damage caused to the computer
due to the incident
Determine the possibility of other devices and systems being
affected by the incident
Break the communications with other devices to prevent the
incident from spreading

EC-Council
Build a Computer Investigation
Toolkit
• A laptop computer with appropriate software tools
• Operating systems and patches
• Application media
• Write-protected backup devices
• Blank media
• Basic networking equipment
• Cables
A computer investigation toolkit
contains:
Investigators need a collection of hardware and software
tools to acquire data during an investigation

EC-Council
Computer Forensics
Investigation Methodology
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Analyze the Data Acquire the Data
Assess Evidence
and Case
Evaluate
and
Secure the Scene
Collect
the Evidence
Secure
the Evidence
Obtain Search
Warrant

EC-Council
Forensic Investigation
Suspend automated document destruction and recycling policies that may
pertain to any relevant media or users at issue
Secure any relevant media – including hard drives, laptops, Blackberries, PDAs,
cell phones, CD-ROMs, DVDs, USB drives, and MP3 players – the subject may
have used
Do not turn the computer off or on, run any programs, or attempt to access data
on a computer. An expert will have the appropriate tools and experience to
prevent data from overwriting, damage from static electricity, or other spoliation
concerns

EC-Council
Forensic Investigation (cont’d)
Gather a list of names, email addresses, and other identifying information about
those with whom the subject might have communicated
Obtain passwords to access the encrypted or password-protected files, if
possible
Once the machine is secured, obtain information about the machine,
peripherals, and the network to which it is connected
Identify the type of data you are seeking, the information you are looking for,
and the urgency level of the examination

EC-Council
Forensic Investigation (cont’d)
Develop a list of key words or phrases to use when searching for relevant data
Maintain a "chain of custody" for each piece of original media, indicating
where the media has been, whose possession it has been in, and the reason for
that possession
If the computer is accessed before the forensic expert is able to secure a
mirror image, list the user(s) that accessed it, what files they accessed, and
when this occurred, and find out why the computer was accessed

EC-Council
Computer Forensics
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Obtain Search
Warrant
Assess Evidence
and Case
Evaluate
and
Secure the Scene
Collect
the Evidence
Secure
the Evidence

EC-Council
Obtain Search Warrant
To carry out an investigation, a search warrant from a court is required
Warrants can be issued for:
• Entire company, floor, room, a device, car, house , or any company owned
property
Where will this search be conducted?
Is it practical to search the computer system on site, or must the
examination be conducted at a field office, or laboratory?
If agents remove the system from the premises to conduct the search,
must they return the computer system, or copies of the seized data, to
its owner/user before trial?

EC-Council
Example of Search Warrant

EC-Council
Searches Without a Warrant
"When destruction of evidence is imminent, a warrantless seizure of that
evidence is justified if there is probable cause to believe that the item
seized constitutes evidence of criminal activity." United States v. David.
756 F. Supp. 1385, 1392 (D. Nev. l991)
Agents may search a place or object without a warrant or, for that
matter, without probable cause, if a person with authority has
consented. Schneckloth v. Bustamonte, 412 U.S. 218, 219 (1973)

EC-Council
Computer Forensics
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Evaluate
and
Secure the Scene
Assess Evidence
and Case
Obtain Search
Warrant
Collect
the Evidence
Secure
the Evidence

EC-Council
Forensic Photography
Snapshots of the evidence and the incident prone areas need to be taken that
help in the forensic process
Take the photographs of all the evidence or the one which helps in evidence
finding
Label the photographed evidence according to the methodology
Photograph the evidence after the label is applied
Digital photography helps to capture, edit, and transfer the images faster
Digital photography helps in correcting the perspective of the image which is
used in taking the measurements of the evidence

EC-Council
Gather the Preliminary
Information at the Scene
• Date and time
• Place and location of the incident
• Evidence from a volatile system and non-volatile system
• Details of the person (s) for the incidents
• Name and identification of the person who can serve as a
potential witness
When an incident occurs, the following
information should be gathered:

EC-Council
First Responder
The first person at the scene of the incidence should collect and
preserve as much evidence as possible
Evidence on all sorts of devices present at the scene of the evidence
should be collected
Follow a law while collecting the evidence or contact computer
forensic examiner as soon as possible

EC-Council
Computer Forensics
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Collect
the Evidence
Assess Evidence
and Case
Obtain Search
Warrant
Evaluate
and
Secure the Scene
Secure
the Evidence

EC-Council
Collect Physical Evidence
Collect electronic devices or any other media that is found at the crime
scene
To preserve the integrity of the physical evidence, all the pieces of
evidence collected should be handled carefully
The objects identified as evidence should be tagged
The tag provides detailed information about the evidence
The physical evidence includes:
• Removable media
• Cables
• Publications
• All computer equipment, including peripherals
• Items taken from the trash
• Miscellaneous items

EC-Council
Evidence Collection Form
EVIDENCE
Submitting Agency: ______________________________________________________
Case No: ______________________________________________________
Item No: ______________________________________________________
Date of Collection: ______________________________________________________
Time of Collection: ______________________________________________________
Collected by: ______________________________________________________
Badge No: ______________________________________________________
Description of Enclosed Evidence:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Location Where Collected:
________________________________________________________________________
________________________________________________________________________
________________________________________________________________________
Type of Offense: ______________________________________________________
Victim’s Full Name: ______________________________________________________
Suspect’s Full Name: ___________________________________________________

EC-Council
Collect Electronic Evidence
List the systems involved in the incident and from which
systems evidence can be collected
For each system, obtain the relevant order of volatility
Record the extent of the system's clock drift
Collect the evidence from the people who are part of the
incident
Capture the electronic serial number of the drive and other
user-accessible, host-specific data

EC-Council
Collect Electronic Evidence (cont’d)
• Office desktop computer/workstation
• Notebook computer
• Home computer
• Computer of personal assistants/secretary/staff
• Palmtop devices
• Network file servers/mainframes/mini-computers
Data Files:
• System-wide backups (monthly/weekly/incremental)
• Disaster recovery backups (stored off site)
• Personal or “ad hoc” backups (look for diskettes and other
portable media)
Backup Tapes:
Electronic evidence consists of:

EC-Council
Collect Electronic Evidence
(cont’d)
• Tape archives
• Replaced/removed drives
• Floppy diskettes and other portable media (e.g., CDs, Zip
cartridges)
Other Media Sources:

EC-Council
Guidelines in Acquiring Evidence
Sample banners are used to record the system activities when used by the unauthorized
user
In Warning banners, organizations give clear and unequivocal notice to intruders that by
signing onto the system they are expressly consenting to such monitoring
The equipment is seized which is connected to the case, knowing the role of the computer
which will indicate what should be taken
At the time of seizing process, the computer should not be powered down
Ensure that the examiner’s storage device is forensically clean when acquiring the evidence
Write protection should be initiated, if available, to preserve and protect the original
evidence

EC-Council
Computer Forensics
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Secure
the Evidence
Assess Evidence
and Case
Obtain Search
Warrant
Evaluate
and
Secure the Scene
Collect
the Evidence

EC-Council
Secure the Evidence
Secure the evidence without damaging the evidence’s identity
Place the evidence in a secured site by not allowing any intruders to
access it
Maintain the chain of custody to properly track the evidence
Identify digital and non digital artifacts to separate the evidence
according to their behavior
Maintain a log book at the entrance of the lab to log in the timings and
name of the person visited
Place an intrusion alarm system in the entrance of the forensic lab
Contact law enforcement agencies to know how to preserve the evidence

EC-Council
Evidence Management
Evidence management helps in protecting the true temperament of the evidence
This is achieved by proper handling and documentation of the evidence
The procedures used to protect the evidence and document when collecting and
shipping are:
• The logbook of the project
• A tag to uniquely identify and evidence
• A chain of custody record
At the time of evidence transfer, both sender and receiver need to give the
information about date and time of transfer of incident in the chain of custody
record

EC-Council
Chain of Custody
• Governs the collection, handling, storage, testing, and disposition of
evidence
• Safeguards against tampering with or substitution of evidence
• Documents that these steps have been carried out
Functions:
• Sample collector
• Sample description, type, and number
• Sampling data and location
• Any custodians of the sample
The chain of custody form should identify:
Chain of custody is a legal document that demonstrates the progression of
evidence as they travel from original evidence location to the forensic
laboratory

EC-Council
Chain of Custody Form
efor Case #
Client Ref. #
Client Item # Description:
Make: Model: Serial # Other Identifying #
CHAIN OF CUSTODY
Client Item #’s Date/Time Released By Received By Reason
Date Name/Client Name/Client
Time Signature Signature

EC-Council
Computer Forensics
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Analyze the Data
Assess Evidence
and Case
Acquire the Data
Secure
the Evidence
Obtain Search
Warrant
Evaluate
and
Secure the Scene
Collect
the Evidence

EC-Council
Original Evidence Should NEVER
be Used for Analysis

EC-Council
Duplicate the Data (Imaging)
Duplicate the data to preserve the original data
The data should be duplicated bit by bit to represent the same original
data
The data can be duplicated either through hardware or software
The duplicated data is sent to the forensic lab

EC-Council
Verify Image Integrity
Calculate and match the MD5 hash for the original
evidence and the forensic image
Same hash values shows that the image is same as
the evidence
Tools for calculating hash value:
• Md5sum
• Free Hash

EC-Council
Recover Lost or Deleted Data
• Partition Recovery Software
• Data Recovery Wizard
• PCInspector File Recovery
• TestDisk and PhotoRec
• ISOBuster
• SoftPerfect File Recovery
Few software used to recover the data:
Collect the lost or deleted data for evidence in the internal and
external devices

EC-Council
Data Analysis
Thoroughly analyze the acquired data to draw conclusions
related to the case
Data analysis techniques depend on the scope of the case or
client’s requirements
This phase includes:
• Analysis of the file’s content, date, and time of file creation and
modification, users associated with file creation, access, and file
modification, and physical storage location of the file
• Timeline generation
Identify and categorize data in order of relevance

EC-Council
Data Analysis Tools
Forensic tools help in sorting and analysis of a large volume of data to
draw meaningful conclusions
Examples of data analysis tools:
• AccessData's FTK
• Guidance Software's EnCase
• Brian Carrier's Sleuth Kit

EC-Council
Computer Forensics
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Assess Evidence
and Case
Secure
the Evidence
Obtain Search
Warrant
Evaluate
and
Secure the Scene
Collect
the Evidence

EC-Council
Evidence Assessment
The digital evidence should be thoroughly assessed with respect to the scope of
the case to determine the course of action
Conduct a thorough assessment by reviewing the search warrant or other legal
authorization, case detail, nature of the hardware and software, potential
evidence sought, and the circumstances surrounding the acquisition of the
evidence to be examined

EC-Council
Case Assessment
Review the case investigator’s request for service
Identify the legal authority for the forensic examination request
Document the chain of custody
Discuss whether other forensic processes need to be performed
on the evidence (e.g., DNA analysis, fingerprint, tool marks,
trace, and questioned documents)

EC-Council
Case Assessment (cont’d)
Discuss the possibility of pursuing other investigative avenues to obtain additional
digital evidence (e.g., sending a preservation order to an Internet service provider
(ISP), identifying remote storage locations, obtaining email)
Consider the relevance of peripheral components to the investigation; for example, in
forgery or fraud cases, consider non-computer equipment such as laminators, credit
card blanks, check paper, scanners, and printers (In child pornography cases,
consider digital cameras)
Determine the potential evidence being sought (e.g., photographs, spreadsheets,
documents, databases, and financial records)
Determine additional information regarding the case (e.g., aliases, email accounts,
email addresses, ISP used, names, network configuration and users, system logs,
passwords, user names) which may be obtained through interviews with the system
administrator, users, and employees

EC-Council
Processing Location Assessment
Assess the evidence to determine where to conduct the examination
It is preferable to complete the examination in a controlled environment,
such as a dedicated forensic work area or laboratory
Whenever circumstances require an onsite examination to be conducted,
attempt to control the environment

EC-Council
Processing Location Assessment
(cont’d)
• The time needed onsite to accomplish
evidence recovery
• Logistic and personnel concerns associated
with long-term deployment
• The impact on the business due to a lengthy
search
• The suitability of the equipment, resources,
media, training, and experience for an onsite
examination
Assessment considerations
include:

EC-Council
Best Practices
Analyze the physical and logical evidence for their value to the case
Use a safe cabinet to secure the evidence
Examine network service logs for any events of interest
Examine the large amount of host data, where only a portion of that data might be relevant
to the incident
Perform offline analysis on a bit-wise copy of the original evidence
Search the contents of all gathered files to help identify files that may be of interest
Review the time and date stamps in the file system metadata
Correlate the file headers to the corresponding file extensions to identify any mismatches
Review the file ‘s names for relevance and patterns

EC-Council
Computer Forensics Investigation
Methodology
Assess Evidence
and Case
Testify in
the Court as an
Expert Witness
Prepare
the Final Report
Secure
the Evidence
Obtain Search
Warrant
Evaluate
and
Secure the Scene
Collect
the Evidence

EC-Council
Documentation in Each Phase
• An initial estimate of the impact of the situation on the
organization's business
• Summaries of interviews with users and system administrators
• Outcomes of any legal and third-party interactions
• Reports and logs generated by tools used during the assessment
phase
• A proposed course of action
Access the data:
• Create a check-in/check-out list that includes information such
as the name of the person examining the evidence, the exact date
and time they check out the evidence and the exact date and time
they return it
Acquire the data:

EC-Council
Documentation in Each Phase
(cont’d)
• Document the information regarding the number and type of
operating system(s)
• Document the file’s content
• Document the result of correlation of files to the installed
applications
• Document the user’s configuration settings
Analyze the data:

EC-Council
Gather and Organize Information
• Gather all documentation and notes from the Assess,
Acquire, and Analyze phases
• Identify parts of the documentation that are relevant to the
investigation
• Identify facts to support the conclusions you will make in
the report
• Create a list of all evidence to be submitted with the report
• List any conclusions you wish to make in your report
• Organize and classify the information you gathered to
ensure that a you get a clear and concise report
Procedures used to gather and organize
the required documentation are:
Documentations in each phase should be identified for their relevancy in
the investigation

EC-Council
Writing the Investigation Report
• Clearly explain the objective of the report, the target
audience, and why the report was prepared
Purpose of Report:
• List all authors and co-authors of the report, including
their positions, responsibilities during the investigation,
and contact details
Author of Report:
• Report writing is a crucial stage in the outcome of the
investigation
• The report should be clear, concise, and written for the
appropriate audience
Report Writing:
The information included in the report section are:

EC-Council
(cont’d)
• Introduce the incident and explain its impact; the summary should explain
clearly about what and how the incident occurred
Incident Summary:
• Provide descriptions of the evidence that was acquired during the
investigation
Evidence:
• Provide a detailed description of what evidence was analyzed and the
analysis methods that were used
• Explain the findings of the analysis
• List the procedures that were followed during the investigation and any
analysis techniques that were used
• Include proof of your findings, such as utility reports and log entries
Details:

EC-Council
(cont’d)
• Summarize the outcome of the investigation
• Cite specific evidence to prove the conclusion
• The conclusion should be clear and unambiguous
Conclusion:
• Include any background information referred to throughout the
report, such as network diagrams, documents that describe the
computer investigation procedures used, and overviews of
technologies that are involved in the investigation
• It is important that supporting documents provide enough
information for the report reader to understand the incident as
completely as possible
Supporting documents:

EC-Council
Sample Report

EC-Council
Sample Report (cont’d)

EC-Council
Computer Forensics Investigation
Methodology
Assess Evidence
and Case
Prepare
the Final Report
Testify in
the Court as an
Expert Witness
Secure
the Evidence
Obtain Search
Warrant
Evaluate
and
Secure the Scene
Collect
the Evidence

EC-Council
Expert Witness
• Investigate a crime
• Evaluate the evidence
• Educate the public and court
• Testify in court
The role of an expert witness is to:
• Assist the court in understanding intricate evidence
• Aid the attorney to get to the truth
• Truthfully, objectively and fully express his or her expert
opinion, without regard to any views or influence
Role of expert witness in bringing
evidence to court:
Expert witness is a person who has a thorough knowledge on his subject,
making others to legally believe in his opinion

EC-Council
Testifying in the Court Room
Presenting digital evidence in the court requires knowledge of new, specialized,
evolving, and sometimes-complex technology
• Familiarize with the usual procedures that are followed during a trial
• The attorney introduces the expert witness with high regards
• The opposing counsel may try to discredit the expert witness
• The attorney would lead the expert witness through the evidence
• Later, it is followed by the cross examination with the opposing counsel
Things that take place in the court room:

EC-Council
Closing the Case
The investigator should include what was done and results in the
final report
Basic report includes: who, what, when, where, and how
In a good computing investigation, the steps can be repeated and
the result obtained are same every time
The report should explain the computer and network processes
and inner working of the system
The investigator should provide explanation for various processes
and its various interrelated components

EC-Council
Maintaining Professional Conduct
Consider all the available facts that account to the crime scene
Ignore external biases to maintain the integrity of the fact-finding in all
investigations
Keep the case confidential
Stay current on the latest technical changes in computer hardware and
software, networking, and forensic tools
Maintain a chain of custody
Follow these criteria to maintain professional conduct:
• Credibility
• Ethics and Morals
• Standards of behavior
• Maintain objectivity and confidentiality
• Enriched technical knowledge
• Conduct with integrity

EC-Council
Investigating a Company Policy
Violation
Employees using company’s resources for personal use not only waste
company’s time and resources but they also violate the company’s
policy
Trace such employees and educate them about the company’s policy,
and if the problem persists, perform suitable action
Employees misusing resources can cost companies millions of dollars
Misusing resources includes:
• Surfing the Internet
• Sending personal emails
• Using company computers for personal tasks
While investigating, the business must continue with minimal
interruption

EC-Council
Computer Forensics Service
Providers
Service Providers Links
CFS http://www.computer-forensic.com/
Lab systems http://www.labsystems.co.in/
DataBank Services http://www.databankservices.com/
Computer Legal Experts http://www.ontonet.com/default.asp
Data Triage Technologies http://www.datatriage.com/computer_forens
ics.php
New York Computer Forensic
Services
http://www.newyorkcomputerforensics.com/
Global Digital Forensics http://www.evestigate.com/

EC-Council
Summary
Collect evidence that can be presented in the court of law or at a
corporate inquiry
Maintain a "chain of custody" for each piece of original media,
indicating where the media has been, whose possession it has been in,
and the reason for that possession
Obtain proper written authorization from an authorized decision maker
to conduct the computer investigation
The first person at the scene of the incidence should collect and preserve
as much evidence as possible

EC-Council

Computer Forensics Investigation Process Guide

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Computer Forensics Investigation Process Guide

Similar to Computer Forensics Investigation Process Guide (20)

More from Desmond Devendran

More from Desmond Devendran (19)

Recently uploaded

Recently uploaded (20)

Computer Forensics Investigation Process Guide