CSN08101Digital ForensicsLecture 4A: Forensic ProcessesLecture 4A: Forensic Processes

Module Leader: Dr Gordon Russell

Lecturers: Robert Ludwiniak

Forensics Processes - objectives

– Investigation Process

– Forensic Ethics Issues– Forensic Ethics Issues

– Forensic Law Issues

Investigation Process

According to many professionals, Computer Forensics is a four (4) step process:

AcquisitionAcquisitionPhysically or remotely obtaining possession of the computer, all network mappings from the system, and external physical storage devices

IdentificationThis step involves identifying what data could be recovered and electronically retrieving it by running various Computer Forensic tools and software suites

Investigation Process

According to many professionals, Computer Forensics is a four (4) step process:

EvaluationEvaluationEvaluating the information/data recovered to determine if and how it could be used again the suspect for employment termination or prosecution in court

PresentationThis step involves the presentation of evidence discovered in a manner

which is understood by lawyers, non-technically staff/management, and

suitable as evidence as determined by United States and internal laws

Digital Investigation Process Model

Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”

Readiness Phases

Computer forensics lab• Where you conduct your investigation• Store evidence• Store evidence• House your equipment, hardware, and

software

American Society of Crime Laboratory Directors (ASCLD) offers guidelines for:

• Managing a lab • Acquiring an official certification• Auditing lab functions and procedures

Staff Readiness

Lab manager duties :• Estimate when to expect preliminary and final results

• Create and monitor lab policies for staff• Create and monitor lab policies for staff

• Provide a safe and secure workplace for staff and

evidence

Staff member duties:• Knowledge and training:

• Hardware and software

• OS and file types

• Deductive reasoning

Acquiring Certification and Training

• Update your skills through appropriate training

• International Association of Computer • International Association of Computer Investigative Specialists (IACIS) – Created by police officers who wanted to formalize

credentials in computing investigations

– Certified Electronic Evidence Collection Specialist (CEECS)

– Certified Forensic Computer Examiners (CFCEs)

Acquiring Certification and Training (continued)

• High-Tech Crime Network (HTCN)– Certified Computer Crime Investigator, Basic and Advanced Level

– Certified Computer Forensic Technician, Basic and Advanced – Certified Computer Forensic Technician, Basic and Advanced Level

• EnCase Certified Examiner (EnCE) Certification

• AccessData Certified Examiner (ACE) Certification

• Other Training and Certifications– High Technology Crime Investigation Association (HTCIA)

Acquiring Certification and Training (continued)

• Other training and certifications– SysAdmin, Audit, Network, Security (SANS) Institute

– Computer Technology Investigators Network (CTIN)– Computer Technology Investigators Network (CTIN)

– NewTechnologies, Inc. (NTI)

– Southeast Cybercrime Institute at Kennesaw State

University

– Federal Law Enforcement Training Center (FLETC)

– National White Collar Crime Center (NW3C)

Physical Requirements for a Computer Forensics Lab

• Most of your investigation is conducted in a lab

• Lab should be secure so evidence is not lost,

corrupted, or destroyedcorrupted, or destroyed

• Provide a safe and secure physical

environment

• Keep inventory control of your assets– Know when to order more supplies

Digital Crime Scene Investigation Phases

Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”

Digital Evidence Searching Phase

Event Reconstruction Phase

Brian Carrier – “An Event-Based Digital Forensic Investigation Framework”

Ethics and Codes

• Ethics– Rules you internalize and use to measure your performance

• Codes of professional conduct or • Codes of professional conduct or responsibility– Standards that others apply to you or that you are compelled to

adhere to by external forces

• Such as licensing bodies

• People need ethics to help maintain their

balance– And self-respect and the respect of their profession

Applying Ethics and Codes

• Laws governing codes of professional conduct or

responsibility– Define the lowest level of action or performance required to avoid – Define the lowest level of action or performance required to avoid

liability

• Expert witnesses should present unbiased,

specialized, and technical evidence to a jury

• Expert witnesses testify in more than 80% of trials– And in many trials, multiple expert witnesses testify

Applying Ethics and Codes to Expert Witnesses

• The most important laws applying to attorneys

and witnesses are the rules of evidence

• Experts are bound by their own personal ethics

and the ethics of their professional organizations

– In the United States, there’s no state or national

licensing body for computer forensics examiners

Computer Forensics Examiners’ Roles in Testifying

• Computer forensics examiners have two roles:– Scientific/technical witness and expert witness

• Scientific/technical witness• Scientific/technical witness• Person involved in a case, investigator that found and presented the

evidence

• As expert witness– You can testify even if you weren’t present when the event

occurred

• Or didn’t handle the data storage device personally

– Criticism: it’s possible to find and hire an expert to

testify to almost any opinion on any topic

Organizations with Codes of Ethics

• No single source offers a definitive code of ethics for forensic investigator

• You must draw on standards from other organizations to form your own ethical standards

International Society of Forensic Computer Examiners

• Includes guidelines such as the following:– Maintain the utmost objectivity in all forensic

examinations and present findings accuratelyexaminations and present findings accurately

– Conduct examinations based on established, validated

principles

– Testify truthfully in all matters before any board, court,

or proceeding

– Avoid any action that would appear to be a conflict of

interest

International Society of Forensic Computer Examiners (continued)

• Includes guidelines such as the following: (continued)– Never misrepresent training, credentials, or association

membership

– Never reveal any confidential matters or knowledge

learned in an examination without an order from a court

of competent jurisdiction or the client’s express

permission

International High Technology Crime Investigation Association

• HTCIA core values include the following requirements related to testifying:– The HTCIA values the Truth uncovered within digital

information and the effective techniques used to

uncover that Truth, so that no one is wrongfully

convicted

– The HTCIA values the Integrity of its members and

the evidence they expose through common

investigative and computer forensic best practices,

including specialized techniques used to gather

digital evidence

International Association of Computer Investigative Specialists

• Standards for IACIS members include:– Maintain the highest level of objectivity in all forensic

examinations and accurately present the facts examinations and accurately present the facts

involved

– Thoroughly examine and analyze the evidence

– Conduct examinations based upon established,

validated principles

– Render opinions having a basis that is

demonstratively reasonable

– Not withhold any findings that would cause the facts

of a case to be misrepresented or distorted

BCS CODE OF CONDUCT

• Public Interest• Legitimate rights of third parties include protecting personal identifiable

data to prevent unlawful disclosure and identity theft, and also respect for

copyright, patents and other intellectual property.

• Professional Competence and Integrity• Professional Competence and Integrity• You should only claim current competence where you can demonstrate

you have the required expertise e.g. through recognised competencies,

qualifications or experience.

• Duty to Relevant Authority• If any conflict is likely to occur or be seen by a third party as likely to occur

you will make full and immediate disclosure to your Relevant Authority.

• Duty to the Profession• Share knowledge and understanding of IT and support inclusion of every

sector of society.

Legal Issues

In criminal investigation you ALWAYS have to have

warrant!!!

Warrant can be issued for:

Entire company, floor, room, a device, car, house, any

company/person owned property

Mobile phone cases – issues with interception rules laid

down in RIPSA [Regulations of Investigative Powers

(Scotland) Act]

Ethics and Warrants

A lot of the ethical issues are covered by the

warrants system. Before a warrant can be issues warrants system. Before a warrant can be issues

a judge is presented with the evidence that

suggests a search will find something relating to

the crime under investigation. He will then way

this against the person's freedoms and decide

whether the warrant should be granted.

Corporate Investigation Issues

Non-criminal internal investigation can be restricted by the individual’s right of privacyrestricted by the individual’s right of privacy

Data Protection Act

Company Polices

Best Practice

• ACPO– Principle 1 - No action taken by law enforcement or

their agents should change data held on an electronic

device or media which may subsequently be relied

upon in Court.

– Principle 2 - In exceptional circumstances where a

person finds it necessary to access original data held

on an electronic device or media, that person must be

competent to do so, and be able to give evidence

explaining the relevance and the implications of their

actions.

Best Practice

• ACPO– Principle 3: An audit trail or other record of all

processes applied to computer based processes applied to computer based

electronic evidence should be created and

preserved. An independent third party should

be able to examine those processes and

achieve the same result.

Best Practice

• ACPO– Principle 4: The person in charge of the

investigation (the case officer) has overall investigation (the case officer) has overall

responsibility for ensuring that the law and

these principles are adhered to.

ANY QUESTIONS?

Assessment: Short-Answer Examples

Question:What are the requirements for the computer forensic lab?

Answer:

Assessment: Short-Answer Examples

Question:What is a difference between Ethics and Code of Practice?

Answer:

Assessment: Short-Answer Examples

Question:How Data Protection Act can create problems in a corporate investigation?

Answer: