6 conducting digital investigations
DESCRIPTION
6 Conducting Digital Investigations. Dr. John P. Abraham Professor UTPA. Steps for conducting investigation. Preparation Survey/identification Preservation Examination and analysis Presentation - PowerPoint PPT PresentationTRANSCRIPT
6 Conducting Digital Investigations
Dr. John P. Abraham
Professor
UTPA
Steps for conducting investigation
– Preparation– Survey/identification– Preservation– Examination and analysis– Presentation
• We can use different models to achieve this: Physical Model, Staircase Model, Evidence Flow Model, Subphase Model, and Roles and Responsibilities Model.
Preparation:
• Generating a plan of action to conduct an effective digital investigation.
• Obtain supporting resources and materials.
Survey/Identification
• Finding potential sources of digital evidence.
• Survey of evidence.
Preservation
• Preventing changes of in situ digital evidence.
• Isolating the system on the network
• Securing relevant log files
• Collecting volatile data
Examination and Analysis
• Searching for and interpreting trace evidence.
• Forensic examination is the process of extracting and viewing information from the evidence.
• Forensic analysis is the application of the scientific method and critical thinking to address: who, what, where, when, how and why.
Presentation
• Reporting of the findings
Physical Model
• Crime scene preservation – secure the area• Crime scene survey – identify physical evidence• Documentation – photographs sketches, maps
of evidence and crime scene.• Search for non obvious evidence and collection.• Crime scene reconstruction based on theories
developed from analysis.
Staircase model
• Crime policy violation• Assessment of worth, prioritize, choose• Identification or seizure• Preservation• Recovery• Harvesting• Reduction• Focus, seach• Analysis• Report• Persuasion and testimony
Other models
• Evidence flow model – p 194
• Subphase model 195
• Roles and responsibilities model p 196
Scaffolding for digital investigations
• Accusation or incident alert • alarm from intrusion detection system, review of firewall logs,
suspicious entries in server logs, etc.• A complaint
• Authorization • Assure that search does not violate laws or give rise to
liability. Obtain instructions and written authorizations. If requires a warrant, get it.
• Transportation• Moving evidence to forensic lab. Chain of custody.
• Verification and Case management. Hash, multiple tools, etc.
Applying the scientific method in digital investigations
• Formation and Evaluation of Hypotheses
• Preparation
• Preservation
• Examination
• Analysis
• Reporting and Testimony
Each are discussed in the following slides.
Hypotheses
Theory formed of what may have occurred.
Example: Claim - Senior management stole proprietary data while exiting the business. Hypotheses formed:
• Proprietary information was emailed out of the business. Used work email or private email. Webmail fragments will exists in the filesystem of employees laptop.
• Copied to a USB and taken out.
Case example
• One party claimed the contract conditions were not met because the accused did not send a reply email. The defendant claimed it was sent on a given date.
– H1: the email was sent at a later time and made it appear sent earlier by rolling back the clock.
– H2: the email was sent at a later time using some other computer and was imported to the defendant’s computer.
• Vista event log of the defendant’s computer can be examined for out of order items.
• Metadata of the email will prove or disprove h2. The message ID filed of the email can be compared with that of other messages.
Preparation
• Create a plan of action to perform effective digital investigation– Preparation for preservation step ensures that
the best evidence can be preserved.– Preparation for preventing future incidents
includes establishment of a framework that includes policies, procedures, centralized logging, and properly trained personnel.
Survey
• Observation: a methodical inspection of the crime scene.
• Hypothesis: theories should be developed about why certain evidence is not present, or present.
• Prediction: ideas developed regarding missing items.
Backup tapes are good potential sources for missing evidence.
Preservation
Collect volatile items first and preserve integrity of data.
Examples:
• Hard drives• Observation. Type of drive, tracts and sectors.• Hypothesis: Complete and accurate duplicate of
the hard drive can be obtained without altering the original.
• Prediction: The resulting forensic duplicate will have the same has value as the original disk drive.
E-mail on server
• Observation: email stored on a server, including some deleted messages
• Hypothesis: Interested emails can be copied without disurption to the server.
• Mobile device– Observation: There is a digital camera– Hypothesis: A complete and accurate duplicate of
photographs can be made– Prediction: Pictures and video taken with the digital
camera can be retrieved.
Analysis
• Application of scientific method and critical thinking: who, what, where, when, how and why.
• Detailed scrutiny of data
• Information obtained during the digital investigation is combined to reconstruct the events relating to the crime.
Reporting and Testimony
• Final reports should contain important detail from each step– Refer to protocols followed– Methods used to seize, document, collect,
preserve, recover and reconstruct.– Any conclusions reached should be
substantiated with supporting evidence and analysis.
– Show objectivity by describe alternative theories that were eliminated.
Assignment
• Pages 220 to 224 describes a scenario using the theory described in this chapter.
• In your own words summarize it.
