1 / 23

6 Conducting Digital Investigations

6 Conducting Digital Investigations. Dr. John P. Abraham Professor UTPA. Steps for conducting investigation. Preparation Survey/identification Preservation Examination and analysis Presentation

kibo-strickland
Download Presentation

6 Conducting Digital Investigations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 6 Conducting Digital Investigations Dr. John P. Abraham Professor UTPA

  2. Steps for conducting investigation • Preparation • Survey/identification • Preservation • Examination and analysis • Presentation • We can use different models to achieve this: Physical Model, Staircase Model, Evidence Flow Model, Subphase Model, and Roles and Responsibilities Model.

  3. Preparation: • Generating a plan of action to conduct an effective digital investigation. • Obtain supporting resources and materials.

  4. Survey/Identification • Finding potential sources of digital evidence. • Survey of evidence.

  5. Preservation • Preventing changes of in situ digital evidence. • Isolating the system on the network • Securing relevant log files • Collecting volatile data

  6. Examination and Analysis • Searching for and interpreting trace evidence. • Forensic examination is the process of extracting and viewing information from the evidence. • Forensic analysis is the application of the scientific method and critical thinking to address: who, what, where, when, how and why.

  7. Presentation • Reporting of the findings

  8. Physical Model • Crime scene preservation – secure the area • Crime scene survey – identify physical evidence • Documentation – photographs sketches, maps of evidence and crime scene. • Search for non obvious evidence and collection. • Crime scene reconstruction based on theories developed from analysis.

  9. Staircase model • Crime policy violation • Assessment of worth, prioritize, choose • Identification or seizure • Preservation • Recovery • Harvesting • Reduction • Focus, seach • Analysis • Report • Persuasion and testimony

  10. Other models • Evidence flow model – p 194 • Subphase model 195 • Roles and responsibilities model p 196

  11. Scaffolding for digital investigations • Accusation or incident alert • alarm from intrusion detection system, review of firewall logs, suspicious entries in server logs, etc. • A complaint • Authorization • Assure that search does not violate laws or give rise to liability. Obtain instructions and written authorizations. If requires a warrant, get it. • Transportation • Moving evidence to forensic lab. Chain of custody. • Verification and Case management. Hash, multiple tools, etc.

  12. Applying the scientific method in digital investigations • Formation and Evaluation of Hypotheses • Preparation • Preservation • Examination • Analysis • Reporting and Testimony Each are discussed in the following slides.

  13. Hypotheses Theory formed of what may have occurred. Example: Claim - Senior management stole proprietary data while exiting the business. Hypotheses formed: • Proprietary information was emailed out of the business. Used work email or private email. Webmail fragments will exists in the filesystem of employees laptop. • Copied to a USB and taken out.

  14. Case example • One party claimed the contract conditions were not met because the accused did not send a reply email. The defendant claimed it was sent on a given date. • H1: the email was sent at a later time and made it appear sent earlier by rolling back the clock. • H2: the email was sent at a later time using some other computer and was imported to the defendant’s computer. • Vista event log of the defendant’s computer can be examined for out of order items. • Metadata of the email will prove or disprove h2. The message ID filed of the email can be compared with that of other messages.

  15. Preparation • Create a plan of action to perform effective digital investigation • Preparation for preservation step ensures that the best evidence can be preserved. • Preparation for preventing future incidents includes establishment of a framework that includes policies, procedures, centralized logging, and properly trained personnel.

  16. Survey • Observation: a methodical inspection of the crime scene. • Hypothesis: theories should be developed about why certain evidence is not present, or present. • Prediction: ideas developed regarding missing items. Backup tapes are good potential sources for missing evidence.

  17. Preservation Collect volatile items first and preserve integrity of data.

  18. Examples: • Hard drives • Observation. Type of drive, tracts and sectors. • Hypothesis: Complete and accurate duplicate of the hard drive can be obtained without altering the original. • Prediction: The resulting forensic duplicate will have the same has value as the original disk drive.

  19. E-mail on server • Observation: email stored on a server, including some deleted messages • Hypothesis: Interested emails can be copied without disurption to the server. • Mobile device • Observation: There is a digital camera • Hypothesis: A complete and accurate duplicate of photographs can be made • Prediction: Pictures and video taken with the digital camera can be retrieved.

  20. Analysis • Application of scientific method and critical thinking: who, what, where, when, how and why. • Detailed scrutiny of data • Information obtained during the digital investigation is combined to reconstruct the events relating to the crime.

  21. Reporting and Testimony • Final reports should contain important detail from each step • Refer to protocols followed • Methods used to seize, document, collect, preserve, recover and reconstruct. • Any conclusions reached should be substantiated with supporting evidence and analysis. • Show objectivity by describe alternative theories that were eliminated.

  22. Assignment • Pages 220 to 224 describes a scenario using the theory described in this chapter. • In your own words summarize it.

More Related