ForensicInvestigation

Mercy College

CYBERSECURITY

FOR

ENSI

CS

Guide to Computer Forensics and Investigations 2

Objectives

Explain how to prepare a computer investigation

Apply a systematic approach to an investigation

Describe procedures for corporate high-tech investigations

Explain requirements for data recovery workstations and software

Describe how to conduct an investigation

Explain how to complete and critique a case

Guide to Computer Forensics and Investigations 3

Preparing a Computer Investigation

Role of computer forensics professional is to gather evidence to prove that a suspect committed a crime or violated a company policy

Collect evidence that can be offered in court or at a corporate inquiry• Investigate the suspect’s computer

• Preserve the evidence on a different computer

Follow an accepted procedure to prepare a case

Chain of Custody• Route the evidence takes from the time you find it

until the case is closed or goes to court

Chain of Custody

Chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis and disposition of physical or electronic evidence.

Aims to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been "planted" fraudulently to make someone appear guilty.

Examples of CoC

Hackers remotely kill a Jeep on the highway, https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ .

How my mom got hacked, https://www.nytimes.com/2015/01/04/opinion/sunday/how-my-mom-got-hacked.html?_r=0 .

Someone had taken over my life: an identity theft victim’s story, https://www.forbes.com/sites/laurashin/2014/11/18/someone-had-taken-over-my-life-an-identity-theft-victims-story/#1e75041a25be .

Amazon’s customer service backdoor, https://medium.com/@espringe/amazon-s-customer-service-backdoor-be375b3428c4 .

Hotel room hacker, https://www.wired.com/2017/08/the-hotel-hacker/ .

More General Cases

Employee Termination Cases

Media Leaking Cases

Media Destroy or Manipulation Cases

Industrial Espionage Cases

Location: Disks, Network,

Memory Windows, Linux iPhone, Android

Media: Text, Image, Sound,

Photos, Video Or damaged…

Method: Collection technique

V&V Investigation:

Investigator name Date and time

What if CoC is Broken?

CoC is broken because

• Intentionally

• Accidentally

The evidence cannot be posed to court.

• It loses the integrity of crime scene

What if CoC is Yet Another Cyber Criminal, Read:

• https://www.forensicscolleges.com/blog/resources/real-cases-of-forensic-fraud-flawed-evidence

If a broken CoC inculpates someone, the forensic investigation is fatally and the defendant should be exonerated.

How do we know CoC is broken?• If all artifacts at the crime scene are available,

another investigation may begin

What if Biases Influence the Forensic Decisions,

Read:

• http://science.sciencemag.org/content/360/6386/243

Forensic evidence is mediated by human and cognitive factors

Biases in forensic expert decision-making

• Evidence-driven biases

• Target suspect-driven biases

Guide to Computer Forensics and Investigations 10

Taking a Systematic Approach

Steps for problem solving

1. Make an initial assessment about the type of case you are investigating

2. Determine a preliminary design or approach to the case

3. Create a detailed checklist

4. Determine the resources you need

5. Obtain and copy an evidence disk drive

6. Identify the risks

7. Mitigate or minimize the risks

8. Test the design

9. Analyze and recover the digital evidence

10. Investigate the data you recover

11. Complete the case report

12. Critique the case

Guide to Computer Forensics and Investigations 11

Assessing the Case

Systematically outline the case details• Situation

• Nature of the case

• Specifics of the case

• Type of evidence

• Operating system

• Known disk format

• Location of evidence

Based on case details, you can determine the case requirements• Type of evidence

• Computer forensics tools

• Special OS

Guide to Computer Forensics and Investigations 12

Planning Your Investigation(continued)

Two types

• Single-evidence form

o Lists each piece of evidence on a separate page

• Multi-evidence form

Guide to Computer Forensics and Investigations 13

Conducting an Investigation

Gather resources identified in investigation plan

Items needed• Original storage media

• Evidence custody form

• Evidence container for the storage media

• Bit-stream imaging tool

• Forensic workstation to copy and examine your evidence

• Securable evidence locker, cabinet, or safe

Guide to Computer Forensics and Investigations 14

Gathering the Evidence

Avoid damaging the evidence

Steps• Meet the IT manager to interview him

• Fill out the evidence form, have the IT manager sign

• Place the evidence in a secure container

• Complete the evidence custody form

• Carry the evidence to the computer forensics lab

• Create forensics copies (if possible)

• Secure evidence by locking the container

Guide to Computer Forensics and Investigations 15

Guide to Computer Forensics and Investigations 16

Practice of CoC

Read carefully one of the cyber crime examples

List documentations or digital evidence trails