preparing for computer investigations
Download
Skip this Video
Download Presentation
Preparing for Computer Investigations

Loading in 2 Seconds...

play fullscreen
1 / 17

Preparing for Computer Investigations - PowerPoint PPT Presentation


  • 514 Views
  • Uploaded on

Preparing for Computer Investigations. our focus: what makes “computer” investigations different from other forensic investigations 2 categories of investigation: criminal (public, government agency) civil (private, corporate)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Preparing for Computer Investigations' - medwin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
preparing for computer investigations
Preparing for Computer Investigations
  • our focus: what makes “computer” investigations different from other forensic investigations
  • 2 categories of investigation:
    • criminal (public, government agency)
    • civil (private, corporate)
  • criminal investigations are subject to federal search and seizure rules: Article 8 of the Canadian Charter of Rights and Freedoms(http://www.canlii.org/ca/com/chart/s-8.html#_Toc68428976) and the Fourth Amendment to the US Constitution, with search and seizure rules: (http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm)

CSC 233H5S, 2007(1)

civil corporate investigations
(Civil) Corporate Investigations
  • private companies, nonenforcement government agencies, and lawyers
  • not directly governed by criminal law, but by internal corporate policies
    • e.g., e-mail harassment, falsification of data, discrimination, embezzlement, industrial espionage, intellectual property, improper use of company resources
  • a search warrant is not needed for company property (as opposed to personal property)
  • for the most part, we will concentrate on the criminal side (but read about George and Martha)
  • advice: act as though a civil case may go criminal

CSC 233H5S, 2007(1)

criminal investigations
Criminal Investigations
  • e.g., break-and-enter: use of lockpick, a slim-jim, or a computer
  • 3 stages to an investigation: complaint, investigation, prosecution
  • [note that the 3 levels of law enforcement computer expertise cited in the text on page 12 differ from the 3 levels given in lecture, Week 1, page 4]
  • investigation begins with preparing the case
  • as you gather evidence, follow a systematic approach (page 32) and maintain a chain of custody

CSC 233H5S, 2007(1)

parts of a systematic approach
(Parts of a) Systematic Approach
  • Determine the resources you need
    • based on the software (application and system -- OS) and hardware of the computer system being investigated, prepare a list of software and hardware tools you will need
  • Obtain and copy an evidence disk drive
    • make a forensic copy of all storage media
  • Do a standard risk assessment
    • a knowledgeable computer user might cause data to be overwritten if a bad password is entered

CSC 233H5S, 2007(1)

more parts of a systematic approach
(More) (Parts of a) Systematic Approach
  • Minimize the risks
    • make multiple copies of the original storage media
  • Test the design
    • compare hash signatures to ensure that you have a forensically-sound copy of the original media
  • Recover the digital evidence, using software and hardware tools, on the forensic copy
  • Analyze the digital evidence

CSC 233H5S, 2007(1)

assessing the case
Assessing the Case
  • type of evidence: storage media (model number, serial number, part number, external “label”, internal “label”, storage capacity, …)
  • operating system: Windows (what version, what build number, what service pack) or Mac OS or Linux

CSC 233H5S, 2007(1)

securing the evidence
Securing the Evidence
  • do not damage any computer hardware component (e.g., pins on a port)
  • beware of static electricity, which can destroy digital data
    • antistatic bags, pads, and wrist-straps
  • use a well-padded container
    • the disk drive is an electromechanical device
  • use evidence tape to secure all openings; write your initials on the tape
  • many storage devices use magnetic media, so ...

CSC 233H5S, 2007(1)

forensic workstation fws
Forensic Workstation (FWS)
  • the secure copy of the original storage media can be made on a separate FWS, replete with hardware and software options
  • also done on the FWS are …
    • the comparison of the digital hashes
    • the recovery of digital evidence from a copy
    • the analysis of digital evidence
  • even normally powering on the computer under investigation can alter the digital evidence (Chapter 7 for Windows)

CSC 233H5S, 2007(1)

gathering the evidence
Gathering the Evidence
  • acquire the disk and make a forensic copy that is an exact duplicate (on the FWS or on the original system with a separate boot disk)
  • a bit-stream copy is a bit-by-bit copy of the original storage medium and is an exact duplicate: a bit-stream image that is a file
  • different from a backup copy of the disk
    • backup software can only copy files that are stored in a folder or are of a known file type; it cannot copy deleted files or instant messages or file fragments that remain on the disk

CSC 233H5S, 2007(1)

bit stream image
Bit-Stream Image
  • the bit-stream image is a file on the FWS
  • depending on the tool used to recover the evidence, it can be investigated either by
    • copying the bit-stream image onto a disk identical to the original medium on the FWS, re-creating the original medium, OR
    • investigating the bit-stream image as a file on the FWS
  • <insert drawing here>

CSC 233H5S, 2007(1)

challenges in processing a computer investigation scene
Challenges in Processing a Computer Investigation Scene
  • computing investigations typically involve large amounts of data, some potentially related to a crime and other being innocent information, co-mingled
    • a 200 GB disk drive might take several hours to image
  • a warrant usually requires that police officers “knock and announce”, but the ease and speed of destroying electronic evidence is a concern
    • format

CSC 233H5S, 2007(1)

protecting digital evidence
Protecting Digital Evidence
  • the crime scene’s security perimeter is usually not set by the computer investigator
  • try to prevent anyone from accessing the computer via a wireless connection (e.g., infrared or Bluetooth)
  • the information on a disk, in bits and bytes, is virtual in that it consists of 0s and 1s, but the courts consider it to be physical evidence
  • computers can contain “real” physical evidence, such as DNA residue on a keyboard or fingerprints
  • the suspect computer should not be examined until a bit-stream image of the disk has been captured; do not re-start the computer except with a boot disk

CSC 233H5S, 2007(1)

first responder
First Responder
  • a useful reference is: Electronic Crime Scene Investigation: A Guide for First Responders”, US DOJ (2001)http://www.ojp.usdoj.gov/nij/pubs-sum/187736.htm
  • “It is recognized that all crime scenes are unique …”
  • need procedures and crime scene protocol that minimize the chance of injury and contamination of evidence

CSC 233H5S, 2007(1)

identification of evidence
Identification of Evidence
  • look for
    • hardware: desktop computer, laptop, handheld computer, external hard drives, digital camera, peripheral devices such as printers or scanners
    • software: installation disks for specialized software, for example
    • (easily-hideable) removable media: floppy disks, CDs, DVDs, thumb drives, evidence of backups
    • documentation: for hardware and software
    • passwords and telephone numbers
    • printouts: maybe in the garbage

CSC 233H5S, 2007(1)

identification of evidence ii
Identification of Evidence II
  • unplug the modem and network cables; test the phone jack and data port to see if they are active
  • photograph evidence in situ ; remove casings and photograph internal components, such as hard-drive jumper settings
  • note and photograph the contents of each window on the screen, if applicable
  • write-protect media where possible
  • the copy of the digital evidence should go to a write-once storage media that is suitable for long-term storage (e.g., CD)

CSC 233H5S, 2007(1)

processing a computer crime scene
Processing a Computer Crime Scene

in addition to normal suggestions (e.g., keep a journal) …

  • take video recordings, including the backs and sides of all computers; place numbered labels on each cable and each plug/port, to be able to re-assemble everything
  • computer storage media can be small and can be disguised
  • a tablet PC is useful in sketching the scene
  • computer data is volatile, so check the computer as soon as possible: powered on or off? if powered on, pull the plug or initiate normal shutdown or attempt live capture ?
  • note: criminals may leave booby-traps, to destroy data
    • Microsoft DOS Command.com: change the directory list command <dir> to the (directory) delete-tree command <deltree>
  • goal: preserve as much data as possible

CSC 233H5S, 2007(1)

ad