2. BASICS OF EVERY FORENSICS CASE
1. Make an Image
2. Conduct the Investigation
3. Bookmark relevant/important discoveries
4. Prepare a report of the findings
3. HISTORY
• 1984 Started with the FBI’s Media Magnet Program
• 3 Cases handled that year
• 1991 The program later became the Computer Analysis Response Team (CART)
• 1995 International Organization on Computer Evidence (IOCE) was formed.
• 2001 CART renamed to Regional Computer Forensics Laboratory (RCFL)
• FBI’s full service forensics laboratory devoted to examining and supporting criminal
investigations. The RCFL’s support state, local and federal cases
• 2001 Computer Forensics renamed to Digital Forensics – 16 centers as of today
4. WHAT IS IT?
• The practice of determining the past actions that have taken place on
a computer system using computer forensic techniques and understanding artifacts.
• Science, and the techniques that you learn and, in the future, possibly discover must
be documented, tested, and verified if you expect them to hold up to scrutiny.
• Often confused with Incident Response (IR).
• Incident Response is a function that strictly belongs within information technology
support services and is often looking for a cause or the break associated with the
violation as it relates to a system or network and the overall computer infrastructure,
rather than the actions of a person; which is what Digital Forensic does.
5. WHAT CAN IT DO?
• Recovering deleted files.
• Determine what programs have been run.
• Recover what web pages users have viewed.
• Recover the webmail that users have read.
• Determine what file servers users have used.
• Discover the hidden history of documents.
• Recover deleted private chat conversations between users.
• Recover call records and Short Message Service (SMS) messages from mobile devices.
6. TOOLS & EQUIPMENTS
• Forensic Workstations: There are many available on the market, but what is essential is that the workstations have
the processing and memory power to perform the examination you need. As the business/lab grows, access to
servers might be needed as well purchasing an actual forensics work station.
• SIFT: Vmware developed by SANS for Ubuntu
• Write Blockers: An external device that allows acquisition and allows read commands, but blocks writing
commands.
• Anti-static Bags: Prevent static and shock from damaging the evidence/components you have gathered for your
investigation.
• EnCase: Used for data acquisition and analysis
• FTK: Forensics Tool Kit scans hard-drives looking for various information and even recovering items. This is also
used to make computer images.
• ProDiscover: Creates a computer image and can turn an image into a bootable VMware.
7. PREPARING FOR A CASE
• What type of case is it?
• Administrative, Civil, Criminal
• Public/Private
• What is being investigated?
• Crime/Violation
• OS/Device
• Who will be involved & at what level?
8. PERFORMING & DOCUMENTING THE
INVESTIGATION
• Industry Tools, Processes & Guidelines Used within the investigation
• Reporting Findings
• Forensic Examiners do not make interpretation, but report their findings
• If during a non criminal investigation certain information is uncovered, like child
pornography, the case will become criminal and case will need to be revaluated
• Preparing Reports for legal use
• Outcome
9. RECENT & SAMPLE CASES
• Target Data Breaches
• Network Intrusion/Hacking
• Personal and financial data was compromised
• Resactor
• Sold Credit Card Numbers
• Timberwolves Player : Dante Cunningham
• Romania Bank Transfer Case: Local Non-Profit
• Zeus
10. HOW TO BECOME A FORENSICS
EXAMINER?
• Formal Training: Credibility
• Academic
• Certifications
• Experience
• Skillset: Competency
• Tools
• Industry Best Practices
• Methodologies
• Personality: Success
• Analytical
• Detailed
• Strong/Emotional Stable
• Patient
