SlideShare ist ein Scribd-Unternehmen logo
1 von 92
Downloaden Sie, um offline zu lesen
Module V - First Responder
Procedures
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Sam, a system administrator, was surprised to see critical files
missing from his office server. He suspected that the server was
compromised. He did not want to take a chance by investigating the
system himself.
Sam reported the incident to Bob, an Information Security Officer
employed with the same firm. Bob took note of the request from
Sam. Being a CHFI, seizing Sam’s system and following the basic
procedures in investigating the case was easy for Bob.
He investigated the image file of the hard disk of the server. His
investigation revealed the presence of rootkit in one of the directories
of the server
During the investigation process, Sam recalled downloading a patch
management tool from the Internet from a third party source. He
realized that the rootkit could have been bundled with the patch
management tool.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Mobile Handsets
Becoming A 'Smoking Gun'
Source: http://www.darkreading.com/
Rise in mobile devices in the enterprise adds new challenges to incident response
Dec 01, 2008 | 02:42 PM
By Kelly Jackson Higgins
DarkReading You have to be fast when seizing a mobile handheld device in the wake of a security breach -- a dead battery
or still-live signal could wipe out or taint the evidence stored on it.
As handheld devices gain more data features and storage, they also are increasingly becoming a smoking gun in an
enterprise data breach, especially when it comes to the insider threat, security experts say. But getting hold of these devices
and freezing the evidence on them isn't so easy.
"The biggest data breach [with handhelds] today is probably lost or stolen handhelds," says Randy Abrams, director of
technical education at Eset. "The fact that many of these devices support MicroSD card of at least 2 gigabytes of capacity
makes them extremely agile for transporting data. Insiders have no problem copying large amounts of data from a PC to
their smartphone. Even if the possession of the data is legitimate, a lost device with unencrypted data can be a gold mine
for the finder."
But the evidence on the devices can be easily lost or tainted. Amber Schroader, president and founder of Paraben, says the
key is to maintain power on the device and protect it from any changes that could contaminate the evidence on it. "You can
put aluminum foil around it to make sure the signal is blocked" or put a Faraday cage around it to protect the evidence, she
said during a presentation at the recent CSI 2008 conference.
The first responder to a handheld device could have less than a minute to properly seize and contain one of these "volatile"
devices, she says. If the battery dies, so does the forensics data that was on a Windows Mobile device, for instance,
Schroader said. "Every three days a new digital device goes into the consumer market," she said, and there aren't enough
forensic examiners to keep up with them.
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Electronic Evidence
• First Responder
• Role of the First Responder
• Electronic Devices: Types and Collecting Potential Evidence
• First Responder Toolkit
• Evidence Collecting Tools and Equipment
• First Responder Procedures
• Securing and Evaluating Electronic Crime Scene
• Conducting Preliminary Interviews
• Documenting Electronic Crime Scene
• Collecting and Preserving Electronic Evidence
• Packaging Electronic Evidence
• Transporting Electronic Evidence
• Reporting the Crime Scene
• First Responder Common Mistakes
This module will familiarize you with:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Securing and Evaluating
Electronic Crime Scene
Collecting and Preserving
Electronic Evidence
Documenting Electronic
Crime Scene
Reporting the Crime
Scene
Transporting Electronic
Evidence
Packaging Electronic
Evidence
Conducting Preliminary
Interviews
First Responder
Common Mistakes
First ResponderElectronic Evidence
First Responder
Procedures
Role of First Responder
Evidence Collecting Tools
and Equipment
Electronic Devices: Types
and Collecting Potential
Evidence
First Responder Toolkit
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Evidence
• It is hidden, similar to fingerprint evidence or DNA
evidence
• It can be broken, altered, damaged, or destroyed by
improper handling
• It expires within a pre-set time
Properties of the electronic evidence:
“Electronic evidence is information and data of investigative value that is
stored on or transmitted by an electronic device”
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder
First responder is a person who arrives first at the crime scene
and accesses the victim’s computer system after the incident
He may be network administrator, law enforcement officer, or
investigation officer
He is responsible for protecting, integrating, and preserving
the evidence obtained from the crime scene
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Roles of First Responder
Identifying the crime scene
Protecting the crime scene
Preserving temporary and fragile evidence
Collecting the complete information about the incident
Documenting all the findings
Packaging and transporting the electronic evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and
Collecting Potential Evidence
• Evidence is found in files that are stored on servers, memory cards, hard
drives, removable storage devices and media such as floppy disks, CDs,
DVDs, cartridges, and tape
Computer systems:
• To collect the evidence, check text , picture, video, multimedia, database,
and computer program files
Hard drive:
• To collect the evidence, check text, graphics, image, and picture files
Thumb drive:
• To collect the evidence, check event logs, chat logs, test file, image file,
picture file, and browsing history of Internet
Memory card:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and
Collecting Potential Evidence (cont’d)
• Evidence is found by recognizing or verifying the information of the card
with the user, level of access, configurations, permissions, and in the
device itself
Smart card, dongle, and biometric scanner:
• Evidence is found in voice recordings such as deleted messages, last
number called, memo, phone numbers, and tapes
Answering machine:
• Evidence is found in images, removable cartridges, video, sound, time,
and date stamp
Digital camera:
• To collect the evidence, check address information, text messages, e-mail,
voice messages, and phone numbers
Pager:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and
Collecting Potential Evidence (cont’d)
• Evidence is found in address book, appointment calendars or information,
documents, and e-mail
Personal digital assistants:
• Evidence is found through usage logs, time and date information, and
network identity information
Printer:
• Evidence is found in the devices themselves
Removable storage devices tape, CD, DVD, floppy:
• Evidence is found through names, phone numbers, caller identification ,
information, and appointment information
Telephones:
• Evidence is found on the device itself
Modem:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Electronic Devices: Types and
Collecting Potential Evidence (cont’d)
• Evidence is found through names, phone numbers, caller identification,
information, and appointment information
Scanner:
• Evidence is found in documents, user usage logs, and time and date stamps
Copiers:
• Evidence is found through card’s expiration date, user’s address, credit card
numbers, and user’s name
Credit Card Skimmers:
• Evidence in found through address book, notes, appointment calendars, phone
numbers, and emails
Digital Watches:
• Evidence is found through documents, phone numbers, film cartridge, and
send or receive logs
Facsimile (Fax) Machines:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder Toolkit
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder Toolkit
First responder toolkit is a set of tested tools which helps first responder in
collecting genuine and presentable evidence
It helps first responder to understand the limitations and capabilities of
electronic evidence at the time of collection
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Creating a First Responder
Toolkit
• Choose the related operating system
• Completely sanitize the forensics computer
• Install the operating system and required software
• Update and patch the forensics computer
• Install a file integrity monitor to test the integrity of the
file system
Create a trusted forensic computer or testbed
by:
• Version name and type of the operating system
• Name and types of different software
• Name and types of the installed hardware
Document the details of the forensics
computer with:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Creating a First Responder
Toolkit (cont’d)
• It helps the first responder to understand how a tool works
• The summary comprises of:
• Acquisition of the tool
• Detailed description of the tool
• Working of the tool
• Tool dependencies and the system affects
Document the summary of the collected
tools:
• Test the collected tools on the forensics computer and
examine the performance and output
• Examine the affects of the tool on the forensics computer
Test the tools:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collecting Tools and
Equipment
Documentation Tools:
• Cable tags
• Indelible felt tip markers
• Stick-on labels
Disassembly and Removal Tools:
• Flat-blade and Philips-type screwdrivers
• Hex-nut drivers
• Needle-nose pliers
• Secure-bit drivers
• Small tweezers
• Specialized screwdrivers
• Standard pliers
• Star-type nut drivers
• Wire cutter
Departments should have general crime scene processing tools (e.g., cameras, notepads,
sketchpads, evidence forms, crime scene tape, and markers)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• Antistatic bags
• Antistatic bubble wrap
• Cable ties
• Evidence bags
• Evidence tape
• Label tag
• Tape
• Packing materials
• Sturdy boxes of various sizes
Package and Transport Supplies:
• Gloves
• Hand truck
• Magnifying glass
• Printer paper
• Seizure disk
• Unused floppy diskettes
Other Tools:
Evidence Collecting Tools and
Equipment (cont’d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Collecting Tools and
Equipment (cont’d)
• Licensed software
• Bootable CD
• External hard drives
• Network cables
Notebook Computers:
• DIBS® Mobile Forensic Workstation
• AccessData's Ultimate Toolkit
• TEEL Technologies SIM tools
Software Tools:
• Paraben Forensics Hardware
• Digital Intelligence Forensic Hardware
• Tableau Hardware Accelerator
• Wiebetech forensics hardware tools
• Logicube forensics hardware tools
Hardware Tools:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response Basics
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response Rule
Under no circumstances should anyone, with the exception of qualified computer
forensics personnel, make any attempts to restore or recover information from a
computer system or device that holds electronic information
Any attempts to retrieve data by unqualified individuals should be avoided as
these attempts could either compromise the integrity of the files or result in files
being inadmissible in legal or administrative proceedings
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Incident Response: Different
Situations
The three groups are:
• System administrators
• Local managers or other non-forensic
staff
• Laboratory forensic staff
First response to an incident may involve three different groups of people,
and each will have differing skills and need to carry out differing tasks based
on the incident
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response for System
Administrators
The actions taken by the system administrator after discovery
of a potential computer violation will play a vital role in the
investigation
Once an incident has been discovered by a system
administrator, they must report it according to the current
organisational incident reporting procedures
The systems administrator should then not touch the system
unless directed to by either the incident or duty manager or one
of the forensic analysts assigned to the case
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response by Non-Laboratory
Staff
To secure the scene and ensure that it is maintained in a
secure state until the Forensic Team advises
Make notes about the scene that will eventually be handed
over to the Forensic Team
The whole area surrounding a suspect computer and not
just the computer itself is the incident scene
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response by Laboratory
Forensic Staff
• Search warrant for search and seizure
• Plan for search and seizure
• Conduct the initial search of the scene
• Health and safety issues
1: Securing and evaluating electronic crime
scene
• Ask questions
• Check the consent issues
• Witness signatures
• Initial interviews
2: Conducting preliminary interviews
First response by laboratory forensic staff involves six stages:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Response by Laboratory
Forensic Staff (cont’d)
• Photographing the scene
• Sketching the scene
3: Documenting electronic crime scene
• Evidence collection
• Exhibit numbering
• Dealing with powered OFF/ON computers at the seizure time
• Seizing portable computers
4: Collecting and preserving electronic
evidence
5: Packaging electronic evidence
• Handling and transportation to the Forensic Laboratory
• Ensure the ‘Chain of custody’ is strictly followed
6: Transporting electronic evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing and Evaluating
Electronic Crime Scene
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing and Evaluating Electronic
Crime Scene: A Check-list
Follow the policies of legal authority for securing the crime scene
Verify the type of the incident
Make sure that the scene is safe for you and for other responders
Isolate other persons who are present at the scene
Locate and help the victim
Verify the data related to offenders
Transmit additional flash messages to other responding units
Request for additional help at the scene if needed
Establish a security perimeter to see that the offenders still exist in the crime scene area
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing and Evaluating Electronic
Crime Scene: A Check-list (cont’d)
Protect the evidence that is at risk of being lost or signed as agreement
Protect perishable data (e.g. pagers and Caller ID boxes) physically and electronically
Make sure that the devices that contain perishable data is secured, documented, and/or
photographed
Recognize the telephone lines that are connected to devices such as modems and caller ID
boxes
Document, disconnect, and label telephone lines or network cables
Observe the situation at the scene and record those observations
Protect physical evidence or hidden fingerprints that is found on keyboards, mouse,
diskettes, and CDs
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Securing the Crime Scene
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Warrant for Search and Seizure
• Electronic storage device search warrant allows first responder to search and seize
the victim’s computer components (such as: Hardware, Software, storage devices,
and documentation)
Electronic storage device search warrant
• Service provider search warrant allows the first responder to get the victim’s
computer information (such as: service records, billing records, subscriber
information) from the service provider
Service provider search warrant
Search warrant allows the first responder to perform the search and seizure of the
electronic evidence that are mentioned in the search warrant
Search warrants for electronic devices basically focus on the following:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Planning the Search and Seizure
• Description of the incident
• Incident manager running the incident
• Case name/title for the incident
• Location of the incident
• Applicable jurisdiction and relevant legislation
• Location of the equipment to be seized:
• Structure’s type and size
• Where are the computer(s) located (all in one place, spread across the
building or floors)
• Who will be present at the incident?
• Is there a friendly atmosphere at the location?
A search and seizure plan contains the
following details:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Planning the Search and Seizure
(cont’d)
Details of what is to be seized (make, model, location, ID etc.):
• Type of the device & number to be seized
• Will the computing be running at seizure or will they be shut down
• Are they networked
• If so, what type of network, where is data stored on the network, where are the backups held, is the system
administrator a ‘friendly’ person, will it be necessary to take the server down and what is the business impact of
this action
Search and seizure type (overt / covert)
Local management involvement
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Initial Search of the Scene
Isolate of a computer system (workstation, stand alone, or network
server) and other media devices that can contain digital evidence
Include search and seizure evidence log which contain brief
descriptions of all computers, devices or media located during the
search for evidence
Make a note of the locations on the crime scene sketch as well
Photograph and sketch the crime scene, along with a detailed
accounting of all computer evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Health and Safety Issues
It is important to consider the health and safety factors in
the work carried out at all stages of the forensic process
conducted by the forensic analysts
All forensic teams should wear protective latex gloves for
searching and seizing operations on site
This is to protect both the staff and preserve any
fingerprints that may be required to be recovered at a later
date
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Preliminary Interviews
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Questions to ask When Client
Calls the Forensic Investigator
Description of the incident
Incident manager running the incident
Case name / title for the incident
Location of the incident
What jurisdiction the case and/or seizure is to be performed under
Details of what is to be seized (make, model, location, ID etc.)
Other work to be performed at the scene (e.g. full search, evidence required, etc.)
Whether the search and seizure is to be overt or covert and whether local management
should know
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Consent
There are times that the user is present and that consent from the user of the
hardware is required and also consent is given
In cases such as this, appropriate forms for the jurisdiction should be used and
carried in the grab bag
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sample of Consent Search Form
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Witness Signatures
Depending on the legislation of the jurisdiction, a signature (or
two) may or may not be required to certify collection of
evidence
Typically, where one signature is required, the Forensic Analyst
or Law Enforcement Officer performs the seizure
Where two signatures are required, guidance should be sought
to determine whose second signature should be taken into
consideration
Whoever signs as witness, needs clear understanding of their
role and may be required to provide a witness statement or
attend court
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Preliminary
Interviews
Interview separately and identify all persons (witnesses and others)
available at the scene and record their location at the time of entry
Be consistent with the departmental policies and applicable laws, and collect
information from individuals like:
• Owners and/or users of electronic devices found at the scene
• User names and Internet service provider
• Passwords required to access the system, software, or data
• Purpose of using the system
• Unique security schemes or destructive devices
• Any offsite data storage
• Documents explaining the hardware or software installed on the system
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Initial Interviews
If the suspect is present at the search and seizure time, the Incident Manager or
the Laboratory Manager may consider asking some questions to the suspect, but
these must comply with the relevant Human Resources or legislative guidelines for
the jurisdiction
At initial interviews, the suspect often has little time to concoct any alibis etc, and
often when asked questions, they answer truthfully even to such questions like
‘what are the passwords for the account’
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Conducting Initial Interviews
(cont’d)
An individual who has physical possession of a piece of evidence is responsible
for its security
Evidence should be secured in such a manner that only the individual who has
signed for it can gain access to it, though it is noted that this is not always
possible
Typical questions could include:
• Are there any keys – some computer cases have physical key locks
• What are the user IDs and passwords for the computer?
• What email addresses are used and what are the user IDs and passwords for them?
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Witness Statement Checklist
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Witness Statement Checklist
(cont’d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documenting the Electronic
Crime Scene
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documenting Electronic Crime
Scene
Documentation of the scene creates an unchanging historical record of the
scene
Document the physical scene, such as the position of the mouse and the
location of components near the system
Document related electronic components that are difficult to find
Record the condition of the computer system, storage media, electronic
devices and conventional evidence, including power status of the computer
Take a photograph of the computer’s screen and write notes on what you
have seen on the screen
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Photographing the Scene
Photographing a scene should be the first step taken by the Forensic
Team on arrival
Photographing of the crime scene should be done in a manner not to
alter or damage the scene
The ideal situation is to first take several photographs that will
establish the location of the scene, followed by an entry photograph,
followed by a series of ‘360 degree’ photographs
‘360 degree’ photographs are simply overlapping photographs
depicting the entire crime scene
The key to remember in crime scene photography is to go from the
overall scene down to the smallest piece of evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Photographing the Scene (cont’d)
Photographs should also be taken of the immediate work area to include
computer disks, handwritten notes, and other computer equipment (printers
and external drives)
Photographs should also be taken of the rear of the computer to accurately
display how the leads are connected
If this cannot be done, then all cables must be labelled and the PC reconnected
back at the Forensic Laboratory should be photographed
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Sketching the Scene
A crime scene sketch should be prepared which details the
overall scene
This should include the locations of items within the office
area
Again, the rule of thumb for crime scene sketching is to go
from the overall scene to the smallest piece of evidence
This may require several sketches to accurately depict the
scene
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Video Shooting the Crime Scene
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving
Electronic Evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving
Electronic Evidence
When an incident is reported where a computer is assumed to be
a part of the incident, it is often the case that this is the first and
only item sized. This is wrong.
The scene should be searched in a circular motion with the
concept of the computer being at the centre of the circle
Items of evidence, as located, should be photographed, identified
within notes and then collected
Evidence should be identified, recorded, seized bagged, and
tagged on site with no attempts to determine contents or status
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Order of Volatility
When collecting evidence, the collection should
proceed from the most volatile to the least volatile. The
list below is the order of volatility for a typical system:
• Registers, cache
• Routing table, process table, kernel statistics, and memory
• Temporary file systems
• Disk or other storage media
• Remote logging and monitoring data that is relevant to the
system in question
• Physical configuration, network topology
• Archival media
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Powered OFF
Computers at Seizure Time
If equipment is switched OFF – leave it OFF
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Powered ON
Computers
The first step to take when approaching an active,
powered on, and running computer is:
• STOP and THINK
• The contents of RAM in an active computer system
undoubtedly hold some information and occasionally
this can be important to a case
• For example, data which is likely to be found
encrypted on a disk might be found in an
unencrypted state in memory, or a running process
might need to be identified and examined before
power is removed
• Any such information in memory will be lost when
the power supply to the device is removed
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with a Powered ON
Computers (cont’d)
If a computer is switched on and the screen is viewable, then the
following must be done:
• Record the programs running on screen
• Photograph the screen
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Networked
Computer
Unplug the network cable from the router and modem
If computer is off, leave it off
If the computer is ON, photograph the screen
If the computer is ON and the screen is blank, move the mouse
slowly and take a photograph of the screen
Label all the connected devices and cords for later identification
Unplug all the cords and devices connected to the computer
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Dealing with Open Files and
Startup Files
• Open the recently created document from startup or system32
folder for Window and rc.local file for Linux
• Note down the date and time of the files
• Examine the open file for sensitive data such as password, image
etc.
• Search for unusual MAC times on vital folders and startup files
Follow the listed procedures to find the evidence:
Malware attacks on the computer system create some files in the startup
folder to run the malware program
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Operating System Shutdown
Procedure
• Take a photograph of the screen
• If any program is running, give a brief explanation
• Unplug the power cord from the wall socket
MS DOS/Windows 3.X/NT 3.51/95/98/NT 4.0
operating system:
It is important to shut down the operating system in a proper manner so that it
will not damage the integrity of the files
Different operating systems have different shut down procedures
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Operating System Shutdown
Procedure (cont’d)
• Right click Menu -> click Console
• If root user’s prompt is set to #sign mode:
• Enter the password if available and type sync;sync;halt to shutdown the system
• If password is not available, unplug the power cord from the wall socket
• If it is set to console #sign mode:
• Enter the user ‘s ID and press Enter
• If the user‘s ID is root, type sync;sync;halt to shutdown the system
• If user’s ID is not root, unplug the power cord from the wall socket
UNIX/Linux Operating Systems
• Record time from the menu bar
• Click Special -> Shutdown
• Unplug the power cord from the wall socket
MacOS Operating System
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Computers and Servers
Photograph the computer and ancillary (connected) equipment
Photograph the connectors behind the computer and individually
label them
Record the cables and the respective ports to which they are
connected
Seal the power socket with tape to prevent inadvertent use
Disconnect the monitor, keyboard, mouse, and CPU
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Preserving Electronic Evidence
Document the actions and changes that you observe in the
monitor, computer, printer, or in other peripherals
Take a photo of the monitor screen if the computer is in “on”
state
Photograph the connections of the computer and the
corresponding cables and label them individually
If any electronic devices such as PDA, cell phone are present, take
a photograph, label the device and collect all the cables, and
transport them along with the device
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Seizing Portable Computers
Photograph the portable and ancillary (connected)
equipment
Photograph the connectors in the back of the portable and
individually label them
Record which cables are connected to what ports in the
portable
Remove the battery
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Switched ON Portables
Portables with their power on should be handled in the same
way as a powered on PC
The date and time when the portable "wakes up" must be
recorded
Prior to pulling the power on a portable, the battery must be
removed
If it is not possible to remove the battery, pressing down on the
power on/off switch for 30 seconds or so will force a hard power
off
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving
Electronic Evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving
Electronic Evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving
Electronic Evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Collecting and Preserving
Electronic Evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Packaging and Transporting
Electronic Evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Bag Contents List
The panel on the front of evidence bags must be filled in with at least the
following details:
Date and time of seizure
Seized by whom
Exhibit number
Seized from which place
Details of the contents of the evidence bag
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Packaging Electronic Evidence
Make sure that the collected electronic evidence is properly
documented, labeled, and listed before packaging
Focus on hidden or trace evidence and take necessary actions
to preserve it
Pack the magnetic media in antistatic packaging
Avoid folding and scratching storage devices such as
diskettes, CD–ROMs, and tape drives
Make sure that all the containers that hold the evidence is
labeled in an appropriate way
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Packaging Electronic Evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Exhibit Numbering
• aaa/ddmmyy/nnnn/zz
• Where,
• aaa are the initials of the Forensic Analyst or
Law Enforcement Officer seizing the
equipment
• dd/mm/yy is the date of the seizure
• nnnn is the sequential number of the exhibits
seized by aaa- starting with 001 and going to
nnnn
• zz is the sequence number for parts of the
same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ –
the Monitor, ‘C’ – the keyboard etc.)
All evidence collected should be marked
as exhibits using this format:
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Transporting Electronic Evidence
Keep electronic evidence away from magnetic sources while
transporting
Store the evidence in a secure area that is away from high
temperature and humidity
Avoid storing electronic evidence in vehicles for a longer period
Make sure that computers and other electronic components are
not packed in containers
Maintain the chain of custody on the evidence that is to be
transported
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Handling and Transportation to
the Forensics Laboratory
Avoid turning the computer upside down or laying it on its side during transport
When transporting a computer or other computer devices, they should not be placed in a
car trunk or any other area where there is the possibility of possible dramatic temperature
and humidity changes
In a vehicle, the ideal place for transport would be on the rear seat, placed in a manner
where the computer will not fall if break is applied suddenly or quick maneuver
All evidence must avoid any sources of magnetism or similar sources of power that could
affect the integrity of the electronic evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Storing Electronic Evidence
Ensure that the electronic evidence is listed in accordance
with the departmental policies
Store the electronic evidence in a secure area and weather
controlled environment
Protect the electronic evidence from magnetic field, dust,
vibration, and other factor that may damage the integrity
of the electronic evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody
‘Chain of Custody’ refers to a written account of individuals who had the sole physical
custody of a piece of evidence from the time it was seized until the end of the case
By becoming a ‘link’ in the ‘Chain of Custody’ and taking possession for a piece of evidence,
an individual has the responsibility to secure it in a manner which can later stand legal
scrutiny in case that there is a claim of evidence tampering
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody (cont’d)
• Case number
• Name and title from whom received
• Address and telephone number
• Location from where the evidence is obtained
• Date/time of evidence
• Item number/quantity/description of items
It contains the following information:
Chain of custody document contains the complete information
about the obtained evidence
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Simple Format of the Chain of
Custody Document
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Form
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Form (cont’d)
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Media Model
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
Serial No
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Form (cont’d)
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody on Property
Evidence Envelope or Bag
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Chain of Custody Property Sign-
out Sheet
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Reporting the Crime Scene
• Date and time of the crime
• Model, size, and partition of the hard disk to find hidden or missing data
• Name and version of the operating system running on the victim’s computer
• Result of the program such as DOS ScanDisk or DOC ChkDisk to find the accuracy of any
data found
• Result of the virus scanning process
• Software present on the victim’s computer
• List of files stored on the victim’s computer with creation and updating time
• Name and version of the software used in the processing of computer evidence
• Name of the interviewed person and his views
The report should include:
First responder creates a final report after completing the forensics process that contains
complete information of the forensics process
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Note Taking Checklist
Crime Scene Checklist Crime Scene Checklist
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Note Taking Checklist (cont’d)
Crime Scene Checklist
Crime Scene Checklist
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
First Responder Common
Mistakes
Most of the time, system or network administrator work as
a first responder at the crime scene
They cannot handle the security incidents in a proper way
because they do not know the first responder procedure
Common mistakes committed by the first responder are as
follows:
• Shutting down or rebooting the victim’s computer
• Assuming that some components of the victim’s computer
may be reliable and usable
• Not having access to baseline documentation about the victim
computer
• Not documenting the data collection process
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
Electronic evidence is information and data of investigative value that is stored on or
transmitted by an electronic device
There are times that the user is present and that consent from the user of the hardware is
required and also consent is given
Documentation of the scene creates an unchanging historical record of the scene
The ‘Chain of Custody’ refers to a written account of individuals who had sole physical
custody of a piece of evidence from the time it was seized until the end of the case
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited

Weitere ähnliche Inhalte

Was ist angesagt? (20)

File000115
File000115File000115
File000115
 
File000166
File000166File000166
File000166
 
File000164
File000164File000164
File000164
 
File000176
File000176File000176
File000176
 
File000163
File000163File000163
File000163
 
File000168
File000168File000168
File000168
 
File000173
File000173File000173
File000173
 
File000162
File000162File000162
File000162
 
File000167
File000167File000167
File000167
 
File000170
File000170File000170
File000170
 
Chfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays WorldChfi V3 Module 01 Computer Forensics In Todays World
Chfi V3 Module 01 Computer Forensics In Todays World
 
CS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IVCS6004 Cyber Forensics - UNIT IV
CS6004 Cyber Forensics - UNIT IV
 
File000171
File000171File000171
File000171
 
Ce hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handlingCe hv6 module 57 computer forensics and incident handling
Ce hv6 module 57 computer forensics and incident handling
 
Lect 1 computer forensics
Lect 1 computer forensicsLect 1 computer forensics
Lect 1 computer forensics
 
File000139
File000139File000139
File000139
 
Ce hv6 module 55 preventing data loss
Ce hv6 module 55 preventing data lossCe hv6 module 55 preventing data loss
Ce hv6 module 55 preventing data loss
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkit
 
Cyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection toolsCyber forensic-Evedidence collection tools
Cyber forensic-Evedidence collection tools
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 

Andere mochten auch (8)

CHFI
CHFICHFI
CHFI
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
 
Fire Safety & Generators
Fire Safety & GeneratorsFire Safety & Generators
Fire Safety & Generators
 
Fire
FireFire
Fire
 
Various types of Fire Extinguishers from Safelincs Ltd
Various types of Fire Extinguishers from Safelincs LtdVarious types of Fire Extinguishers from Safelincs Ltd
Various types of Fire Extinguishers from Safelincs Ltd
 
Fire extinguisher training
Fire extinguisher trainingFire extinguisher training
Fire extinguisher training
 
Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Interviewing PPT
Interviewing PPTInterviewing PPT
Interviewing PPT
 

Ähnlich wie File000118

mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Presentation cyber forensics & ethical hacking
Presentation   cyber forensics & ethical hackingPresentation   cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxgouriuplenchwar63
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers  from india   forn sec solut...Most promising cyber forensic solution providers  from india   forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...FORnSECSolutions
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsFORnSECSolutions
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docxAliAshraf68199
 
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65BIEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65Bbanerjeerohit
 
4.1.2 area 2016
4.1.2 area 20164.1.2 area 2016
4.1.2 area 2016dilahkmpk
 
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersCe hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersVi Tính Hoàng Nam
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsParaben Corporation
 
Uc14 chap15
Uc14 chap15Uc14 chap15
Uc14 chap15ayahye
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
Computer forensics
Computer  forensicsComputer  forensics
Computer forensicsLalit Garg
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Stepsgamemaker762
 
Uganda lawsociety v2digitalforensics
Uganda lawsociety v2digitalforensicsUganda lawsociety v2digitalforensics
Uganda lawsociety v2digitalforensicsMustapha Mugisa
 

Ähnlich wie File000118 (20)

cyber forensics
cyber forensicscyber forensics
cyber forensics
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Presentation cyber forensics & ethical hacking
Presentation   cyber forensics & ethical hackingPresentation   cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Mobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptxMobile_Forensics- General Introduction & Software.pptx
Mobile_Forensics- General Introduction & Software.pptx
 
CYBERFORENSICS
CYBERFORENSICSCYBERFORENSICS
CYBERFORENSICS
 
File000146
File000146File000146
File000146
 
Most promising cyber forensic solution providers from india forn sec solut...
Most promising cyber forensic solution providers  from india   forn sec solut...Most promising cyber forensic solution providers  from india   forn sec solut...
Most promising cyber forensic solution providers from india forn sec solut...
 
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec SolutionsBest Cyber Crime Investigation Service Provider | Fornsec Solutions
Best Cyber Crime Investigation Service Provider | Fornsec Solutions
 
What is Digital Forensics.docx
What is Digital Forensics.docxWhat is Digital Forensics.docx
What is Digital Forensics.docx
 
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65BIEA Presentation - Electronic Records & Electronic Evidence: Section 65B
IEA Presentation - Electronic Records & Electronic Evidence: Section 65B
 
4.1.2 area 2016
4.1.2 area 20164.1.2 area 2016
4.1.2 area 2016
 
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computersCe hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
 
Uncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic toolsUncover important digital evidence with digital forensic tools
Uncover important digital evidence with digital forensic tools
 
Cyber forensics and auditing
Cyber forensics and auditingCyber forensics and auditing
Cyber forensics and auditing
 
Uc14 chap15
Uc14 chap15Uc14 chap15
Uc14 chap15
 
Uc14 chap15
Uc14 chap15Uc14 chap15
Uc14 chap15
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
Computer forensics
Computer  forensicsComputer  forensics
Computer forensics
 
Digital forensics Steps
Digital forensics StepsDigital forensics Steps
Digital forensics Steps
 
Uganda lawsociety v2digitalforensics
Uganda lawsociety v2digitalforensicsUganda lawsociety v2digitalforensics
Uganda lawsociety v2digitalforensics
 

Mehr von Desmond Devendran (18)

Siam key-facts
Siam key-factsSiam key-facts
Siam key-facts
 
Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guides
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentials
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management
 
CHFI 1
CHFI 1CHFI 1
CHFI 1
 
File000175
File000175File000175
File000175
 
File000174
File000174File000174
File000174
 
File000169
File000169File000169
File000169
 
File000165
File000165File000165
File000165
 
File000161
File000161File000161
File000161
 
File000160
File000160File000160
File000160
 
File000159
File000159File000159
File000159
 
File000158
File000158File000158
File000158
 
File000157
File000157File000157
File000157
 
File000156
File000156File000156
File000156
 
File000155
File000155File000155
File000155
 
File000154
File000154File000154
File000154
 

Kürzlich hochgeladen

20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 

Kürzlich hochgeladen (20)

20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 

File000118

  • 1. Module V - First Responder Procedures
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Sam, a system administrator, was surprised to see critical files missing from his office server. He suspected that the server was compromised. He did not want to take a chance by investigating the system himself. Sam reported the incident to Bob, an Information Security Officer employed with the same firm. Bob took note of the request from Sam. Being a CHFI, seizing Sam’s system and following the basic procedures in investigating the case was easy for Bob. He investigated the image file of the hard disk of the server. His investigation revealed the presence of rootkit in one of the directories of the server During the investigation process, Sam recalled downloading a patch management tool from the Internet from a third party source. He realized that the rootkit could have been bundled with the patch management tool.
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Mobile Handsets Becoming A 'Smoking Gun' Source: http://www.darkreading.com/ Rise in mobile devices in the enterprise adds new challenges to incident response Dec 01, 2008 | 02:42 PM By Kelly Jackson Higgins DarkReading You have to be fast when seizing a mobile handheld device in the wake of a security breach -- a dead battery or still-live signal could wipe out or taint the evidence stored on it. As handheld devices gain more data features and storage, they also are increasingly becoming a smoking gun in an enterprise data breach, especially when it comes to the insider threat, security experts say. But getting hold of these devices and freezing the evidence on them isn't so easy. "The biggest data breach [with handhelds] today is probably lost or stolen handhelds," says Randy Abrams, director of technical education at Eset. "The fact that many of these devices support MicroSD card of at least 2 gigabytes of capacity makes them extremely agile for transporting data. Insiders have no problem copying large amounts of data from a PC to their smartphone. Even if the possession of the data is legitimate, a lost device with unencrypted data can be a gold mine for the finder." But the evidence on the devices can be easily lost or tainted. Amber Schroader, president and founder of Paraben, says the key is to maintain power on the device and protect it from any changes that could contaminate the evidence on it. "You can put aluminum foil around it to make sure the signal is blocked" or put a Faraday cage around it to protect the evidence, she said during a presentation at the recent CSI 2008 conference. The first responder to a handheld device could have less than a minute to properly seize and contain one of these "volatile" devices, she says. If the battery dies, so does the forensics data that was on a Windows Mobile device, for instance, Schroader said. "Every three days a new digital device goes into the consumer market," she said, and there aren't enough forensic examiners to keep up with them.
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Electronic Evidence • First Responder • Role of the First Responder • Electronic Devices: Types and Collecting Potential Evidence • First Responder Toolkit • Evidence Collecting Tools and Equipment • First Responder Procedures • Securing and Evaluating Electronic Crime Scene • Conducting Preliminary Interviews • Documenting Electronic Crime Scene • Collecting and Preserving Electronic Evidence • Packaging Electronic Evidence • Transporting Electronic Evidence • Reporting the Crime Scene • First Responder Common Mistakes This module will familiarize you with:
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Securing and Evaluating Electronic Crime Scene Collecting and Preserving Electronic Evidence Documenting Electronic Crime Scene Reporting the Crime Scene Transporting Electronic Evidence Packaging Electronic Evidence Conducting Preliminary Interviews First Responder Common Mistakes First ResponderElectronic Evidence First Responder Procedures Role of First Responder Evidence Collecting Tools and Equipment Electronic Devices: Types and Collecting Potential Evidence First Responder Toolkit
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Evidence • It is hidden, similar to fingerprint evidence or DNA evidence • It can be broken, altered, damaged, or destroyed by improper handling • It expires within a pre-set time Properties of the electronic evidence: “Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device”
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder First responder is a person who arrives first at the crime scene and accesses the victim’s computer system after the incident He may be network administrator, law enforcement officer, or investigation officer He is responsible for protecting, integrating, and preserving the evidence obtained from the crime scene
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Roles of First Responder Identifying the crime scene Protecting the crime scene Preserving temporary and fragile evidence Collecting the complete information about the incident Documenting all the findings Packaging and transporting the electronic evidence
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence • Evidence is found in files that are stored on servers, memory cards, hard drives, removable storage devices and media such as floppy disks, CDs, DVDs, cartridges, and tape Computer systems: • To collect the evidence, check text , picture, video, multimedia, database, and computer program files Hard drive: • To collect the evidence, check text, graphics, image, and picture files Thumb drive: • To collect the evidence, check event logs, chat logs, test file, image file, picture file, and browsing history of Internet Memory card:
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found by recognizing or verifying the information of the card with the user, level of access, configurations, permissions, and in the device itself Smart card, dongle, and biometric scanner: • Evidence is found in voice recordings such as deleted messages, last number called, memo, phone numbers, and tapes Answering machine: • Evidence is found in images, removable cartridges, video, sound, time, and date stamp Digital camera: • To collect the evidence, check address information, text messages, e-mail, voice messages, and phone numbers Pager:
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found in address book, appointment calendars or information, documents, and e-mail Personal digital assistants: • Evidence is found through usage logs, time and date information, and network identity information Printer: • Evidence is found in the devices themselves Removable storage devices tape, CD, DVD, floppy: • Evidence is found through names, phone numbers, caller identification , information, and appointment information Telephones: • Evidence is found on the device itself Modem:
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Electronic Devices: Types and Collecting Potential Evidence (cont’d) • Evidence is found through names, phone numbers, caller identification, information, and appointment information Scanner: • Evidence is found in documents, user usage logs, and time and date stamps Copiers: • Evidence is found through card’s expiration date, user’s address, credit card numbers, and user’s name Credit Card Skimmers: • Evidence in found through address book, notes, appointment calendars, phone numbers, and emails Digital Watches: • Evidence is found through documents, phone numbers, film cartridge, and send or receive logs Facsimile (Fax) Machines:
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Toolkit
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Toolkit First responder toolkit is a set of tested tools which helps first responder in collecting genuine and presentable evidence It helps first responder to understand the limitations and capabilities of electronic evidence at the time of collection
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a First Responder Toolkit • Choose the related operating system • Completely sanitize the forensics computer • Install the operating system and required software • Update and patch the forensics computer • Install a file integrity monitor to test the integrity of the file system Create a trusted forensic computer or testbed by: • Version name and type of the operating system • Name and types of different software • Name and types of the installed hardware Document the details of the forensics computer with:
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Creating a First Responder Toolkit (cont’d) • It helps the first responder to understand how a tool works • The summary comprises of: • Acquisition of the tool • Detailed description of the tool • Working of the tool • Tool dependencies and the system affects Document the summary of the collected tools: • Test the collected tools on the forensics computer and examine the performance and output • Examine the affects of the tool on the forensics computer Test the tools:
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collecting Tools and Equipment Documentation Tools: • Cable tags • Indelible felt tip markers • Stick-on labels Disassembly and Removal Tools: • Flat-blade and Philips-type screwdrivers • Hex-nut drivers • Needle-nose pliers • Secure-bit drivers • Small tweezers • Specialized screwdrivers • Standard pliers • Star-type nut drivers • Wire cutter Departments should have general crime scene processing tools (e.g., cameras, notepads, sketchpads, evidence forms, crime scene tape, and markers)
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited • Antistatic bags • Antistatic bubble wrap • Cable ties • Evidence bags • Evidence tape • Label tag • Tape • Packing materials • Sturdy boxes of various sizes Package and Transport Supplies: • Gloves • Hand truck • Magnifying glass • Printer paper • Seizure disk • Unused floppy diskettes Other Tools: Evidence Collecting Tools and Equipment (cont’d)
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Collecting Tools and Equipment (cont’d) • Licensed software • Bootable CD • External hard drives • Network cables Notebook Computers: • DIBS® Mobile Forensic Workstation • AccessData's Ultimate Toolkit • TEEL Technologies SIM tools Software Tools: • Paraben Forensics Hardware • Digital Intelligence Forensic Hardware • Tableau Hardware Accelerator • Wiebetech forensics hardware tools • Logicube forensics hardware tools Hardware Tools:
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response Basics
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response Rule Under no circumstances should anyone, with the exception of qualified computer forensics personnel, make any attempts to restore or recover information from a computer system or device that holds electronic information Any attempts to retrieve data by unqualified individuals should be avoided as these attempts could either compromise the integrity of the files or result in files being inadmissible in legal or administrative proceedings
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response: Different Situations The three groups are: • System administrators • Local managers or other non-forensic staff • Laboratory forensic staff First response to an incident may involve three different groups of people, and each will have differing skills and need to carry out differing tasks based on the incident
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response for System Administrators The actions taken by the system administrator after discovery of a potential computer violation will play a vital role in the investigation Once an incident has been discovered by a system administrator, they must report it according to the current organisational incident reporting procedures The systems administrator should then not touch the system unless directed to by either the incident or duty manager or one of the forensic analysts assigned to the case
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Non-Laboratory Staff To secure the scene and ensure that it is maintained in a secure state until the Forensic Team advises Make notes about the scene that will eventually be handed over to the Forensic Team The whole area surrounding a suspect computer and not just the computer itself is the incident scene
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Laboratory Forensic Staff • Search warrant for search and seizure • Plan for search and seizure • Conduct the initial search of the scene • Health and safety issues 1: Securing and evaluating electronic crime scene • Ask questions • Check the consent issues • Witness signatures • Initial interviews 2: Conducting preliminary interviews First response by laboratory forensic staff involves six stages:
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Response by Laboratory Forensic Staff (cont’d) • Photographing the scene • Sketching the scene 3: Documenting electronic crime scene • Evidence collection • Exhibit numbering • Dealing with powered OFF/ON computers at the seizure time • Seizing portable computers 4: Collecting and preserving electronic evidence 5: Packaging electronic evidence • Handling and transportation to the Forensic Laboratory • Ensure the ‘Chain of custody’ is strictly followed 6: Transporting electronic evidence
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene: A Check-list Follow the policies of legal authority for securing the crime scene Verify the type of the incident Make sure that the scene is safe for you and for other responders Isolate other persons who are present at the scene Locate and help the victim Verify the data related to offenders Transmit additional flash messages to other responding units Request for additional help at the scene if needed Establish a security perimeter to see that the offenders still exist in the crime scene area
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing and Evaluating Electronic Crime Scene: A Check-list (cont’d) Protect the evidence that is at risk of being lost or signed as agreement Protect perishable data (e.g. pagers and Caller ID boxes) physically and electronically Make sure that the devices that contain perishable data is secured, documented, and/or photographed Recognize the telephone lines that are connected to devices such as modems and caller ID boxes Document, disconnect, and label telephone lines or network cables Observe the situation at the scene and record those observations Protect physical evidence or hidden fingerprints that is found on keyboards, mouse, diskettes, and CDs
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Securing the Crime Scene
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Warrant for Search and Seizure • Electronic storage device search warrant allows first responder to search and seize the victim’s computer components (such as: Hardware, Software, storage devices, and documentation) Electronic storage device search warrant • Service provider search warrant allows the first responder to get the victim’s computer information (such as: service records, billing records, subscriber information) from the service provider Service provider search warrant Search warrant allows the first responder to perform the search and seizure of the electronic evidence that are mentioned in the search warrant Search warrants for electronic devices basically focus on the following:
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Planning the Search and Seizure • Description of the incident • Incident manager running the incident • Case name/title for the incident • Location of the incident • Applicable jurisdiction and relevant legislation • Location of the equipment to be seized: • Structure’s type and size • Where are the computer(s) located (all in one place, spread across the building or floors) • Who will be present at the incident? • Is there a friendly atmosphere at the location? A search and seizure plan contains the following details:
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Planning the Search and Seizure (cont’d) Details of what is to be seized (make, model, location, ID etc.): • Type of the device & number to be seized • Will the computing be running at seizure or will they be shut down • Are they networked • If so, what type of network, where is data stored on the network, where are the backups held, is the system administrator a ‘friendly’ person, will it be necessary to take the server down and what is the business impact of this action Search and seizure type (overt / covert) Local management involvement
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Initial Search of the Scene Isolate of a computer system (workstation, stand alone, or network server) and other media devices that can contain digital evidence Include search and seizure evidence log which contain brief descriptions of all computers, devices or media located during the search for evidence Make a note of the locations on the crime scene sketch as well Photograph and sketch the crime scene, along with a detailed accounting of all computer evidence
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Health and Safety Issues It is important to consider the health and safety factors in the work carried out at all stages of the forensic process conducted by the forensic analysts All forensic teams should wear protective latex gloves for searching and seizing operations on site This is to protect both the staff and preserve any fingerprints that may be required to be recovered at a later date
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Preliminary Interviews
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Questions to ask When Client Calls the Forensic Investigator Description of the incident Incident manager running the incident Case name / title for the incident Location of the incident What jurisdiction the case and/or seizure is to be performed under Details of what is to be seized (make, model, location, ID etc.) Other work to be performed at the scene (e.g. full search, evidence required, etc.) Whether the search and seizure is to be overt or covert and whether local management should know
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Consent There are times that the user is present and that consent from the user of the hardware is required and also consent is given In cases such as this, appropriate forms for the jurisdiction should be used and carried in the grab bag
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample of Consent Search Form
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Signatures Depending on the legislation of the jurisdiction, a signature (or two) may or may not be required to certify collection of evidence Typically, where one signature is required, the Forensic Analyst or Law Enforcement Officer performs the seizure Where two signatures are required, guidance should be sought to determine whose second signature should be taken into consideration Whoever signs as witness, needs clear understanding of their role and may be required to provide a witness statement or attend court
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Preliminary Interviews Interview separately and identify all persons (witnesses and others) available at the scene and record their location at the time of entry Be consistent with the departmental policies and applicable laws, and collect information from individuals like: • Owners and/or users of electronic devices found at the scene • User names and Internet service provider • Passwords required to access the system, software, or data • Purpose of using the system • Unique security schemes or destructive devices • Any offsite data storage • Documents explaining the hardware or software installed on the system
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Initial Interviews If the suspect is present at the search and seizure time, the Incident Manager or the Laboratory Manager may consider asking some questions to the suspect, but these must comply with the relevant Human Resources or legislative guidelines for the jurisdiction At initial interviews, the suspect often has little time to concoct any alibis etc, and often when asked questions, they answer truthfully even to such questions like ‘what are the passwords for the account’
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Conducting Initial Interviews (cont’d) An individual who has physical possession of a piece of evidence is responsible for its security Evidence should be secured in such a manner that only the individual who has signed for it can gain access to it, though it is noted that this is not always possible Typical questions could include: • Are there any keys – some computer cases have physical key locks • What are the user IDs and passwords for the computer? • What email addresses are used and what are the user IDs and passwords for them?
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Statement Checklist
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Witness Statement Checklist (cont’d)
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting the Electronic Crime Scene
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Documenting Electronic Crime Scene Documentation of the scene creates an unchanging historical record of the scene Document the physical scene, such as the position of the mouse and the location of components near the system Document related electronic components that are difficult to find Record the condition of the computer system, storage media, electronic devices and conventional evidence, including power status of the computer Take a photograph of the computer’s screen and write notes on what you have seen on the screen
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Photographing the Scene Photographing a scene should be the first step taken by the Forensic Team on arrival Photographing of the crime scene should be done in a manner not to alter or damage the scene The ideal situation is to first take several photographs that will establish the location of the scene, followed by an entry photograph, followed by a series of ‘360 degree’ photographs ‘360 degree’ photographs are simply overlapping photographs depicting the entire crime scene The key to remember in crime scene photography is to go from the overall scene down to the smallest piece of evidence
  • 49. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Photographing the Scene (cont’d) Photographs should also be taken of the immediate work area to include computer disks, handwritten notes, and other computer equipment (printers and external drives) Photographs should also be taken of the rear of the computer to accurately display how the leads are connected If this cannot be done, then all cables must be labelled and the PC reconnected back at the Forensic Laboratory should be photographed
  • 50. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sketching the Scene A crime scene sketch should be prepared which details the overall scene This should include the locations of items within the office area Again, the rule of thumb for crime scene sketching is to go from the overall scene to the smallest piece of evidence This may require several sketches to accurately depict the scene
  • 51. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Video Shooting the Crime Scene
  • 52. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  • 53. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence When an incident is reported where a computer is assumed to be a part of the incident, it is often the case that this is the first and only item sized. This is wrong. The scene should be searched in a circular motion with the concept of the computer being at the centre of the circle Items of evidence, as located, should be photographed, identified within notes and then collected Evidence should be identified, recorded, seized bagged, and tagged on site with no attempts to determine contents or status
  • 54. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Order of Volatility When collecting evidence, the collection should proceed from the most volatile to the least volatile. The list below is the order of volatility for a typical system: • Registers, cache • Routing table, process table, kernel statistics, and memory • Temporary file systems • Disk or other storage media • Remote logging and monitoring data that is relevant to the system in question • Physical configuration, network topology • Archival media
  • 55. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Powered OFF Computers at Seizure Time If equipment is switched OFF – leave it OFF
  • 56. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Powered ON Computers The first step to take when approaching an active, powered on, and running computer is: • STOP and THINK • The contents of RAM in an active computer system undoubtedly hold some information and occasionally this can be important to a case • For example, data which is likely to be found encrypted on a disk might be found in an unencrypted state in memory, or a running process might need to be identified and examined before power is removed • Any such information in memory will be lost when the power supply to the device is removed
  • 57. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with a Powered ON Computers (cont’d) If a computer is switched on and the screen is viewable, then the following must be done: • Record the programs running on screen • Photograph the screen
  • 58. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Networked Computer Unplug the network cable from the router and modem If computer is off, leave it off If the computer is ON, photograph the screen If the computer is ON and the screen is blank, move the mouse slowly and take a photograph of the screen Label all the connected devices and cords for later identification Unplug all the cords and devices connected to the computer
  • 59. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Dealing with Open Files and Startup Files • Open the recently created document from startup or system32 folder for Window and rc.local file for Linux • Note down the date and time of the files • Examine the open file for sensitive data such as password, image etc. • Search for unusual MAC times on vital folders and startup files Follow the listed procedures to find the evidence: Malware attacks on the computer system create some files in the startup folder to run the malware program
  • 60. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Operating System Shutdown Procedure • Take a photograph of the screen • If any program is running, give a brief explanation • Unplug the power cord from the wall socket MS DOS/Windows 3.X/NT 3.51/95/98/NT 4.0 operating system: It is important to shut down the operating system in a proper manner so that it will not damage the integrity of the files Different operating systems have different shut down procedures
  • 61. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Operating System Shutdown Procedure (cont’d) • Right click Menu -> click Console • If root user’s prompt is set to #sign mode: • Enter the password if available and type sync;sync;halt to shutdown the system • If password is not available, unplug the power cord from the wall socket • If it is set to console #sign mode: • Enter the user ‘s ID and press Enter • If the user‘s ID is root, type sync;sync;halt to shutdown the system • If user’s ID is not root, unplug the power cord from the wall socket UNIX/Linux Operating Systems • Record time from the menu bar • Click Special -> Shutdown • Unplug the power cord from the wall socket MacOS Operating System
  • 62. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Computers and Servers Photograph the computer and ancillary (connected) equipment Photograph the connectors behind the computer and individually label them Record the cables and the respective ports to which they are connected Seal the power socket with tape to prevent inadvertent use Disconnect the monitor, keyboard, mouse, and CPU
  • 63. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Preserving Electronic Evidence Document the actions and changes that you observe in the monitor, computer, printer, or in other peripherals Take a photo of the monitor screen if the computer is in “on” state Photograph the connections of the computer and the corresponding cables and label them individually If any electronic devices such as PDA, cell phone are present, take a photograph, label the device and collect all the cables, and transport them along with the device
  • 64. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Seizing Portable Computers Photograph the portable and ancillary (connected) equipment Photograph the connectors in the back of the portable and individually label them Record which cables are connected to what ports in the portable Remove the battery
  • 65. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Switched ON Portables Portables with their power on should be handled in the same way as a powered on PC The date and time when the portable "wakes up" must be recorded Prior to pulling the power on a portable, the battery must be removed If it is not possible to remove the battery, pressing down on the power on/off switch for 30 seconds or so will force a hard power off
  • 66. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  • 67. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  • 68. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  • 69. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Collecting and Preserving Electronic Evidence
  • 70. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging and Transporting Electronic Evidence
  • 71. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Evidence Bag Contents List The panel on the front of evidence bags must be filled in with at least the following details: Date and time of seizure Seized by whom Exhibit number Seized from which place Details of the contents of the evidence bag
  • 72. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging Electronic Evidence Make sure that the collected electronic evidence is properly documented, labeled, and listed before packaging Focus on hidden or trace evidence and take necessary actions to preserve it Pack the magnetic media in antistatic packaging Avoid folding and scratching storage devices such as diskettes, CD–ROMs, and tape drives Make sure that all the containers that hold the evidence is labeled in an appropriate way
  • 73. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packaging Electronic Evidence
  • 74. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Exhibit Numbering • aaa/ddmmyy/nnnn/zz • Where, • aaa are the initials of the Forensic Analyst or Law Enforcement Officer seizing the equipment • dd/mm/yy is the date of the seizure • nnnn is the sequential number of the exhibits seized by aaa- starting with 001 and going to nnnn • zz is the sequence number for parts of the same exhibit (e.g. ‘A’ – could be the CPU, ‘B’ – the Monitor, ‘C’ – the keyboard etc.) All evidence collected should be marked as exhibits using this format:
  • 75. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Transporting Electronic Evidence Keep electronic evidence away from magnetic sources while transporting Store the evidence in a secure area that is away from high temperature and humidity Avoid storing electronic evidence in vehicles for a longer period Make sure that computers and other electronic components are not packed in containers Maintain the chain of custody on the evidence that is to be transported
  • 76. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling and Transportation to the Forensics Laboratory Avoid turning the computer upside down or laying it on its side during transport When transporting a computer or other computer devices, they should not be placed in a car trunk or any other area where there is the possibility of possible dramatic temperature and humidity changes In a vehicle, the ideal place for transport would be on the rear seat, placed in a manner where the computer will not fall if break is applied suddenly or quick maneuver All evidence must avoid any sources of magnetism or similar sources of power that could affect the integrity of the electronic evidence
  • 77. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Storing Electronic Evidence Ensure that the electronic evidence is listed in accordance with the departmental policies Store the electronic evidence in a secure area and weather controlled environment Protect the electronic evidence from magnetic field, dust, vibration, and other factor that may damage the integrity of the electronic evidence
  • 78. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody ‘Chain of Custody’ refers to a written account of individuals who had the sole physical custody of a piece of evidence from the time it was seized until the end of the case By becoming a ‘link’ in the ‘Chain of Custody’ and taking possession for a piece of evidence, an individual has the responsibility to secure it in a manner which can later stand legal scrutiny in case that there is a claim of evidence tampering
  • 79. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody (cont’d) • Case number • Name and title from whom received • Address and telephone number • Location from where the evidence is obtained • Date/time of evidence • Item number/quantity/description of items It contains the following information: Chain of custody document contains the complete information about the obtained evidence
  • 80. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Simple Format of the Chain of Custody Document
  • 81. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form
  • 82. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form (cont’d) Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Media Model Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No Serial No
  • 83. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Form (cont’d)
  • 84. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody on Property Evidence Envelope or Bag
  • 85. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody Property Sign- out Sheet
  • 86. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Reporting the Crime Scene • Date and time of the crime • Model, size, and partition of the hard disk to find hidden or missing data • Name and version of the operating system running on the victim’s computer • Result of the program such as DOS ScanDisk or DOC ChkDisk to find the accuracy of any data found • Result of the virus scanning process • Software present on the victim’s computer • List of files stored on the victim’s computer with creation and updating time • Name and version of the software used in the processing of computer evidence • Name of the interviewed person and his views The report should include: First responder creates a final report after completing the forensics process that contains complete information of the forensics process
  • 87. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Note Taking Checklist Crime Scene Checklist Crime Scene Checklist
  • 88. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Note Taking Checklist (cont’d) Crime Scene Checklist Crime Scene Checklist
  • 89. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited First Responder Common Mistakes Most of the time, system or network administrator work as a first responder at the crime scene They cannot handle the security incidents in a proper way because they do not know the first responder procedure Common mistakes committed by the first responder are as follows: • Shutting down or rebooting the victim’s computer • Assuming that some components of the victim’s computer may be reliable and usable • Not having access to baseline documentation about the victim computer • Not documenting the data collection process
  • 90. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Electronic evidence is information and data of investigative value that is stored on or transmitted by an electronic device There are times that the user is present and that consent from the user of the hardware is required and also consent is given Documentation of the scene creates an unchanging historical record of the scene The ‘Chain of Custody’ refers to a written account of individuals who had sole physical custody of a piece of evidence from the time it was seized until the end of the case
  • 91. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 92. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited