cs forensic investigationcysecure.org/530/online/fc02investiga.pdf · preparing a computer...
Post on 21-Jun-2020
0 Views
Preview:
TRANSCRIPT
ForensicInvestigation
Mercy College
CYBERSECURITY
FOR
ENSI
CS
Guide to Computer Forensics and Investigations 2
Objectives
Explain how to prepare a computer investigation
Apply a systematic approach to an investigation
Describe procedures for corporate high-tech investigations
Explain requirements for data recovery workstations and software
Describe how to conduct an investigation
Explain how to complete and critique a case
Guide to Computer Forensics and Investigations 3
Preparing a Computer Investigation
Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy
Collect evidence that can be offered in court or at a corporate inquiry• Investigate the suspect’s computer
• Preserve the evidence on a different computer
Follow an accepted procedure to prepare a case
Chain of Custody• Route the evidence takes from the time you find it
until the case is closed or goes to court
Chain of Custody
Chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence.
Aims to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been "planted" fraudulently to make someone appear guilty.
Examples of CoC
Hackers remotely kill a Jeep on the highway, https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ .
How my mom got hacked, https://www.nytimes.com/2015/01/04/opinion/sunday/how-my-mom-got-hacked.html?_r=0 .
Someone had taken over my life: an identity theft victim’s story, https://www.forbes.com/sites/laurashin/2014/11/18/someone-had-taken-over-my-life-an-identity-theft-victims-story/#1e75041a25be .
Amazon’s customer service backdoor, https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4 .
Hotel room hacker, https://www.wired.com/2017/08/the-hotel-hacker/ .
More General Cases
Employee Termination Cases
Media Leaking Cases
Media Destroy or Manipulation Cases
Industrial Espionage Cases
Location: Disks, Network,
Memory Windows, Linux iPhone, Android
Media: Text, Image, Sound,
Photos, Video Or damaged…
Method: Collection technique
V&V Investigation:
Investigator name Date and time
What if CoC is Broken?
CoC is broken because
• Intentionally
• Accidentally
The evidence cannot be posed to court.
• It loses the integrity of crime scene
What if CoC is Yet Another Cyber Criminal, Read:
• https://www.forensicscolleges.com/blog/resources/real-cases-of-forensic-fraud-flawed-evidence
If a broken CoC inculpates someone, the forensic investigation is fatally and the defendant should be exonerated.
How do we know CoC is broken?• If all artifacts at the crime scene are available,
another investigation may begin
What if Biases Influence the Forensic Decisions,
Read:
• http://science.sciencemag.org/content/360/6386/243
Forensic evidence is mediated by human and cognitive factors
Biases in forensic expert decision-making
• Evidence-driven biases
• Target suspect-driven biases
Guide to Computer Forensics and Investigations 10
Taking a Systematic Approach
Steps for problem solving
1. Make an initial assessment about the type of case you are investigating
2. Determine a preliminary design or approach to the case
3. Create a detailed checklist
4. Determine the resources you need
5. Obtain and copy an evidence disk drive
6. Identify the risks
7. Mitigate or minimize the risks
8. Test the design
9. Analyze and recover the digital evidence
10. Investigate the data you recover
11. Complete the case report
12. Critique the case
Guide to Computer Forensics and Investigations 11
Assessing the Case
Systematically outline the case details• Situation
• Nature of the case
• Specifics of the case
• Type of evidence
• Operating system
• Known disk format
• Location of evidence
Based on case details, you can determine the case requirements• Type of evidence
• Computer forensics tools
• Special OS
Guide to Computer Forensics and Investigations 12
Planning Your Investigation(continued)
Two types
• Single-evidence form
o Lists each piece of evidence on a separate page
• Multi-evidence form
Guide to Computer Forensics and Investigations 13
Conducting an Investigation
Gather resources identified in investigation plan
Items needed• Original storage media
• Evidence custody form
• Evidence container for the storage media
• Bit-stream imaging tool
• Forensic workstation to copy and examine your evidence
• Securable evidence locker, cabinet, or safe
Guide to Computer Forensics and Investigations 14
Gathering the Evidence
Avoid damaging the evidence
Steps• Meet the IT manager to interview him
• Fill out the evidence form, have the IT manager sign
• Place the evidence in a secure container
• Complete the evidence custody form
• Carry the evidence to the computer forensics lab
• Create forensics copies (if possible)
• Secure evidence by locking the container
Guide to Computer Forensics and Investigations 15
Guide to Computer Forensics and Investigations 16
Practice of CoC
Read carefully one of the cyber crime examples
List documentations or digital evidence trails
top related