Computer Forensics
Download
Report
Transcript Computer Forensics
Guide to Computer
Forensics and
Investigations,
Second Edition
Chapter 5
Processing Crime
and Incident Scenes
Objectives
• Collect evidence in private-sector incident scenes
• Process law enforcement crime scenes
• Prepare for a search
Guide to Computer Forensics and Investigations, 2e
2
Objectives (continued)
• Secure a computer incident or crime scene
• Seize digital evidence at the scene
• Review a case using three different computer
forensics tools
Guide to Computer Forensics and Investigations, 2e
3
Collecting Evidence in Private-Sector
Incident Scenes
• Freedom of Information Act (FOIA)
– States public records are open and available for
inspection
– Citizens can request public documents created by
federal agencies
• Homeland Security Act
• Patriot Act
Guide to Computer Forensics and Investigations, 2e
4
Collecting Evidence in Private-Sector
Incident Scenes (continued)
• Corporate environment is much easier than
criminal environment
• Employees’ expectation of privacy
– Create and publish a privacy policy
– Use warning banners
• State when an investigation can be initiated
– Reasonable suspicion
Guide to Computer Forensics and Investigations, 2e
5
Collecting Evidence in Private-Sector
Incident Scenes (continued)
Guide to Computer Forensics and Investigations, 2e
6
Collecting Evidence in Private-Sector
Incident Scenes (continued)
• Avoid becoming a law enforcement agent
• Check with your corporate attorney on how to
proceed
–
–
–
–
Commingled data
Warrants
Subpoena
Civil liability
Guide to Computer Forensics and Investigations, 2e
7
Processing Law Enforcement Crime
Scenes
• Criminal rules of search and seizure
• Probable cause
– Specific crime was committed
– Evidence exists
– Place to be searched includes evidence
• Warrant
– Probable cause
– Witness
Guide to Computer Forensics and Investigations, 2e
8
Processing Law Enforcement Crime
Scenes (continued)
Guide to Computer Forensics and Investigations, 2e
9
Understanding Concepts and Terms
Used in Warrants
• Innocent information
– Unrelated information
• Limiting phrase
– Separate innocent information from evidence
• Plain view doctrine
– Searched area can be extended
• Knock and announce
Guide to Computer Forensics and Investigations, 2e
10
Preparing for a Search
• Most important step in computing investigations
• Steps:
–
–
–
–
Identifying the nature of the case
Identifying the type of computer system
Determining whether you can seize a computer
Obtaining a detailed description of the location
Guide to Computer Forensics and Investigations, 2e
11
Preparing for a Search (continued)
• Steps (continued):
–
–
–
–
Determining who is in charge
Using additional technical expertise
Determining the tools you need
Preparing the investigation team
Guide to Computer Forensics and Investigations, 2e
12
Identifying the Nature of the Case
• Private or public
• Dictates:
– How you proceed
– Resources needed during the investigation
Guide to Computer Forensics and Investigations, 2e
13
Identifying the Type of Computing
System
• Identify:
–
–
–
–
Size of the disk drive
Number of computers at the crime scene
OSs
Specific details about the hardware
• Easier to do in a controlled environment, such as a
corporation
Guide to Computer Forensics and Investigations, 2e
14
Determining Whether You Can Seize a
Computer
• Ideal situation
– Seize computers and take them to your lab
• Not always possible
• Need a warrant
• Consider using portable resources
Guide to Computer Forensics and Investigations, 2e
15
Obtaining a Detailed Description of the
Location
• Get as much information as you can
• Identify potential hazards
– Interact with your HAZMAT team
• HAZMAT guidelines
– Protect your target disk before using it
– Check for high temperatures
Guide to Computer Forensics and Investigations, 2e
16
Determining Who Is in Charge
• Corporate computing investigations require only
one person to respond
• Law enforcement agencies:
– Handle large-scale investigations
– Designate leader investigators
Guide to Computer Forensics and Investigations, 2e
17
Using Additional Technical Expertise
• Look for specialists
– OSs
– RAID servers
– Databases
• Can be hard
• Educate specialists in proper investigative
techniques
– Prevent evidence damage
Guide to Computer Forensics and Investigations, 2e
18
Determining the Tools You Need
• Prepare your tools using incident and crime scene
information
• Initial-response field kit
– Lightweight
– Easy to transport
• Extensive-response field kit
– Includes all tools you can afford
Guide to Computer Forensics and Investigations, 2e
19
Determining the Tools You Need
(continued)
Guide to Computer Forensics and Investigations, 2e
20
Determining the Tools You Need
(continued)
Guide to Computer Forensics and Investigations, 2e
21
Preparing the Investigation Team
• Review facts, plans, and objectives
• Coordinate an action plan with your team
– Collect evidence
– Secure evidence
• Slow response can cause digital evidence lost
Guide to Computer Forensics and Investigations, 2e
22
Securing a Computer Incident or
Crime Scene
• Preserve the evidence
• Keep information confidential
• Define a secure perimeter
– Use yellow barrier tape
– Legal authority
• Professional curiosity
– Can destroy evidence
Guide to Computer Forensics and Investigations, 2e
23
Seizing Digital Evidence at the Scene
• Law enforcement can seize evidence with a proper
warrant
• Corporate investigators rarely can seize evidence
• U.S. DoJ standards for seizing digital data
• Civil investigations follow same rules
– Require less documentation, though
• Consult with your attorney for extra guidelines
Guide to Computer Forensics and Investigations, 2e
24
Processing a Major Incident
or Crime Scene
• Guidelines
–
–
–
–
–
Keep a journal
Secure the scene
Be professional and courteous with onlookers
Remove people who are not part of the investigation
Video record the computer area
• Pay attention to details
Guide to Computer Forensics and Investigations, 2e
25
Processing a Major Incident
or Crime Scene (continued)
• Guidelines (continued)
– Sketch the incident or crime scene
– Check computers as soon as possible
– Save data from current applications as safe as
possible
– Make notes of everything you do when copying data
from a live suspect computer
– Close applications and shutdown the computer
Guide to Computer Forensics and Investigations, 2e
26
Processing a Major Incident
or Crime Scene (continued)
• Guidelines (continued)
– Look for information related to the investigation
• Passwords, passphrases, PINs, bank accounts
– Collect documentation and media related to the
investigation
• Hardware, software, backup media
Guide to Computer Forensics and Investigations, 2e
27
Processing Data Centers
with an Array of RAIDs
• Sparse evidence file recovery
– Extracts only data related to evidence for your case
from allocated files
– Minimizes how much data you need to analyze
– Doesn’t recover residual data in free or slack space
– If you have a computer forensics tool that accesses
the unallocated space on a RAID system, work it on
a test system first to make sure it doesn’t corrupt the
RAID computer
Guide to Computer Forensics and Investigations, 2e
28
Using a Technical Advisor at an
Incident or Crime Scene
• Technical specialists
• Responsibilities:
–
–
–
–
–
–
Know aspects of the seized system
Is direct investigator handling sensitive material
Help securing the scene
Help document the planning strategy
Conduct ad hoc trainings
Document activities
Guide to Computer Forensics and Investigations, 2e
29
Sample Civil Investigation
• Recover specific evidence
– Suspect’s Outlook e-mail folder (PST file)
• Covert surveillance
– Company policy
– Risk of civil or criminal liability
• Sniffing tools
– For data transmissions
Guide to Computer Forensics and Investigations, 2e
30
Sample Criminal Investigation
• Computer crimes examples
– Fraud
– Check fraud
– Homicides
• Need a warrant to start seizing evidence
– Limit searching area
Guide to Computer Forensics and Investigations, 2e
31
Sample Criminal Investigation
(continued)
Guide to Computer Forensics and Investigations, 2e
32
Reviewing a Case
• Tasks for planning your investigation
–
–
–
–
–
Identify the case requirements
Plan your investigation
Conduct the investigation
Complete the case report
Critique the case
Guide to Computer Forensics and Investigations, 2e
33
Identifying the Case Requirements
•
Identify requirements, such as:
–
–
–
–
Nature of the case
Suspect’s name
Suspect’s activity
Suspect’s hardware and software specifications
Guide to Computer Forensics and Investigations, 2e
34
Planning Your Investigation
• List what you can assume or know
– Several incidents may or may not be related
– Suspect’s computer can contain information about
the case
– Whether someone else has used suspect’s
computer
• Make an image of suspect’s computer disk drive
• Analyze forensics copy
Guide to Computer Forensics and Investigations, 2e
35
DriveSpy
• Functions
– Create an image
– Verify validity of image
– Analyze image
Guide to Computer Forensics and Investigations, 2e
36
DriveSpy (continued)
Guide to Computer Forensics and Investigations, 2e
37
DriveSpy (continued)
Guide to Computer Forensics and Investigations, 2e
38
Access Data Forensic Toolkit (FTK)
• Functions
– Extract the image from an bit-stream image file
– Analyze the image
Guide to Computer Forensics and Investigations, 2e
39
Access Data Forensic Toolkit (FTK)
(continued)
Guide to Computer Forensics and Investigations, 2e
40
Access Data Forensic Toolkit (FTK)
(continued)
Guide to Computer Forensics and Investigations, 2e
41
X-Ways Forensics
• Functions
– Extract forensic image
– Analyze image
Guide to Computer Forensics and Investigations, 2e
42
X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e
43
X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e
44
X-Ways Forensics (continued)
Guide to Computer Forensics and Investigations, 2e
45
Summary
• Private sector
– Contained and controlled area
• Publish right to inspect computer assets policy
• Private and public sectors follow same computing
investigation rules
• Avoid becoming an agent of law enforcement
• Criminal cases require warrants
Guide to Computer Forensics and Investigations, 2e
46
Summary (continued)
• Protect your safety and health as well as the
integrity of the evidence from hazardous materials
• Follow guidelines when processing an incident or
crime scene
– Securing perimeter
– Video recording
Guide to Computer Forensics and Investigations, 2e
47
Summary (continued)
• Become familiar with forensics tools
– DriveSpy and Image
– FTK
– X-Ways Forensics
Guide to Computer Forensics and Investigations, 2e
48