Preparing for computer investigations
1 / 17

Preparing for Computer Investigations - PowerPoint PPT Presentation

  • Updated On :

Preparing for Computer Investigations. our focus: what makes “computer” investigations different from other forensic investigations 2 categories of investigation: criminal (public, government agency) civil (private, corporate)

Related searches for Preparing for Computer Investigations

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Preparing for Computer Investigations' - medwin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Preparing for computer investigations l.jpg
Preparing for Computer Investigations

  • our focus: what makes “computer” investigations different from other forensic investigations

  • 2 categories of investigation:

    • criminal (public, government agency)

    • civil (private, corporate)

  • criminal investigations are subject to federal search and seizure rules: Article 8 of the Canadian Charter of Rights and Freedoms( and the Fourth Amendment to the US Constitution, with search and seizure rules: (

CSC 233H5S, 2007(1)

Civil corporate investigations l.jpg
(Civil) Corporate Investigations

  • private companies, nonenforcement government agencies, and lawyers

  • not directly governed by criminal law, but by internal corporate policies

    • e.g., e-mail harassment, falsification of data, discrimination, embezzlement, industrial espionage, intellectual property, improper use of company resources

  • a search warrant is not needed for company property (as opposed to personal property)

  • for the most part, we will concentrate on the criminal side (but read about George and Martha)

  • advice: act as though a civil case may go criminal

CSC 233H5S, 2007(1)

Criminal investigations l.jpg
Criminal Investigations

  • e.g., break-and-enter: use of lockpick, a slim-jim, or a computer

  • 3 stages to an investigation: complaint, investigation, prosecution

  • [note that the 3 levels of law enforcement computer expertise cited in the text on page 12 differ from the 3 levels given in lecture, Week 1, page 4]

  • investigation begins with preparing the case

  • as you gather evidence, follow a systematic approach (page 32) and maintain a chain of custody

CSC 233H5S, 2007(1)

Parts of a systematic approach l.jpg
(Parts of a) Systematic Approach

  • Determine the resources you need

    • based on the software (application and system -- OS) and hardware of the computer system being investigated, prepare a list of software and hardware tools you will need

  • Obtain and copy an evidence disk drive

    • make a forensic copy of all storage media

  • Do a standard risk assessment

    • a knowledgeable computer user might cause data to be overwritten if a bad password is entered

CSC 233H5S, 2007(1)

More parts of a systematic approach l.jpg
(More) (Parts of a) Systematic Approach

  • Minimize the risks

    • make multiple copies of the original storage media

  • Test the design

    • compare hash signatures to ensure that you have a forensically-sound copy of the original media

  • Recover the digital evidence, using software and hardware tools, on the forensic copy

  • Analyze the digital evidence

CSC 233H5S, 2007(1)

Assessing the case l.jpg
Assessing the Case

  • type of evidence: storage media (model number, serial number, part number, external “label”, internal “label”, storage capacity, …)

  • operating system: Windows (what version, what build number, what service pack) or Mac OS or Linux

CSC 233H5S, 2007(1)

Securing the evidence l.jpg
Securing the Evidence

  • do not damage any computer hardware component (e.g., pins on a port)

  • beware of static electricity, which can destroy digital data

    • antistatic bags, pads, and wrist-straps

  • use a well-padded container

    • the disk drive is an electromechanical device

  • use evidence tape to secure all openings; write your initials on the tape

  • many storage devices use magnetic media, so ...

CSC 233H5S, 2007(1)

Forensic workstation fws l.jpg
Forensic Workstation (FWS)

  • the secure copy of the original storage media can be made on a separate FWS, replete with hardware and software options

  • also done on the FWS are …

    • the comparison of the digital hashes

    • the recovery of digital evidence from a copy

    • the analysis of digital evidence

  • even normally powering on the computer under investigation can alter the digital evidence (Chapter 7 for Windows)

CSC 233H5S, 2007(1)

Gathering the evidence l.jpg
Gathering the Evidence

  • acquire the disk and make a forensic copy that is an exact duplicate (on the FWS or on the original system with a separate boot disk)

  • a bit-stream copy is a bit-by-bit copy of the original storage medium and is an exact duplicate: a bit-stream image that is a file

  • different from a backup copy of the disk

    • backup software can only copy files that are stored in a folder or are of a known file type; it cannot copy deleted files or instant messages or file fragments that remain on the disk

CSC 233H5S, 2007(1)

Bit stream image l.jpg
Bit-Stream Image

  • the bit-stream image is a file on the FWS

  • depending on the tool used to recover the evidence, it can be investigated either by

    • copying the bit-stream image onto a disk identical to the original medium on the FWS, re-creating the original medium, OR

    • investigating the bit-stream image as a file on the FWS

  • <insert drawing here>

CSC 233H5S, 2007(1)

Challenges in processing a computer investigation scene l.jpg
Challenges in Processing a Computer Investigation Scene

  • computing investigations typically involve large amounts of data, some potentially related to a crime and other being innocent information, co-mingled

    • a 200 GB disk drive might take several hours to image

  • a warrant usually requires that police officers “knock and announce”, but the ease and speed of destroying electronic evidence is a concern

    • format

CSC 233H5S, 2007(1)

Protecting digital evidence l.jpg
Protecting Digital Evidence

  • the crime scene’s security perimeter is usually not set by the computer investigator

  • try to prevent anyone from accessing the computer via a wireless connection (e.g., infrared or Bluetooth)

  • the information on a disk, in bits and bytes, is virtual in that it consists of 0s and 1s, but the courts consider it to be physical evidence

  • computers can contain “real” physical evidence, such as DNA residue on a keyboard or fingerprints

  • the suspect computer should not be examined until a bit-stream image of the disk has been captured; do not re-start the computer except with a boot disk

CSC 233H5S, 2007(1)

First responder l.jpg
First Responder

  • a useful reference is: Electronic Crime Scene Investigation: A Guide for First Responders”, US DOJ (2001)

  • “It is recognized that all crime scenes are unique …”

  • need procedures and crime scene protocol that minimize the chance of injury and contamination of evidence

CSC 233H5S, 2007(1)

Identification of evidence l.jpg
Identification of Evidence

  • look for

    • hardware: desktop computer, laptop, handheld computer, external hard drives, digital camera, peripheral devices such as printers or scanners

    • software: installation disks for specialized software, for example

    • (easily-hideable) removable media: floppy disks, CDs, DVDs, thumb drives, evidence of backups

    • documentation: for hardware and software

    • passwords and telephone numbers

    • printouts: maybe in the garbage

CSC 233H5S, 2007(1)

Identification of evidence ii l.jpg
Identification of Evidence II

  • unplug the modem and network cables; test the phone jack and data port to see if they are active

  • photograph evidence in situ ; remove casings and photograph internal components, such as hard-drive jumper settings

  • note and photograph the contents of each window on the screen, if applicable

  • write-protect media where possible

  • the copy of the digital evidence should go to a write-once storage media that is suitable for long-term storage (e.g., CD)

CSC 233H5S, 2007(1)

Processing a computer crime scene l.jpg
Processing a Computer Crime Scene

in addition to normal suggestions (e.g., keep a journal) …

  • take video recordings, including the backs and sides of all computers; place numbered labels on each cable and each plug/port, to be able to re-assemble everything

  • computer storage media can be small and can be disguised

  • a tablet PC is useful in sketching the scene

  • computer data is volatile, so check the computer as soon as possible: powered on or off? if powered on, pull the plug or initiate normal shutdown or attempt live capture ?

  • note: criminals may leave booby-traps, to destroy data

    • Microsoft DOS change the directory list command <dir> to the (directory) delete-tree command <deltree>

  • goal: preserve as much data as possible

CSC 233H5S, 2007(1)