CIPFM NEWSLETTERISSUE 5 STUDY ANYWHERE ANYTIME

Find out more about digital forensics in this issue

In this issue...

CIPFM partners an international institution

pg1

An overview of digital forensics; relevance and importancy

pg3

TESTIMONIALpg2

Study anywhere anytime

CIPFM Partners another international Institution

In order to strengthen its services and to provide the clients with variety of prod-ucts and services, the Char-tered Institute of Profession-al Financial Managers has gone into partnership with International Institute of Certified Forensic Investiga-tion Professionals (IICFIP).

IICFIP is the world’s unique and premier profession-al membership organiza-tion that not only brings to-gether forensic investigators but also provides forensic investigation skills train-ing to all that are interested in forensic investigations.

CIPFM is going to act as the accredited tuition cen-ter for IICPFIP programs in Zimbabwe and else-where in Southern Africa.

So this means anyone

who wants to take up any of IICFIP courses and is

in Zimbabwe or anywhere in Southern Africa can eas-ily do so through CIPFM.

This means now students can benefit from the qual-ity professional education that CIPFM offers and can also benefit and learn some-thing from across the globe.

CIPFM students can eas-ily attend workshops and conferences that IICFIP host across the world.

Besides being just students of these two professional de-velopment institutions, one can also become a member of either one or both of these.

By being a member, a person can realise a lot of benefits in-cluding receiving journals and

publications that has to do with one’s profession, attend-ing global workshops and con-ferences and networking with different professionals from different parts of the world.Certified Forensic Investiga-tions Professionals is the lead-ing flagship professional cre-dential being offered by IICFIP.

It is the world’s most com-prehensive profession-al investigation credential.

A CFIP can handle any kind of investigation touching on digital forensics and finan-cial forensics as well as crim-inal investigations. Fraud Examination is just but an eighth of the CFIP’s skills set.

These two organisation’s ex-perience merged togeth-er is going to change the field of forensics and the world at large for the better.

Study anywhere anytime

1

2

Study anywhere anytime

An overview of digital forensics

Digital Forensics (DF) has grown from a relatively obscure tradecraft to an important part of many inves-tigations. DF tools are now used on a daily basis by examiners and analysts within local, state and law enforcement agents; within the mili-tary and other government organiza-tions even in Zimbabwe; and within the private “e-Discovery” industry. Developments in forensic research, tools, and process over the past de-cade have been very successful and many in leadership positions now rely on these tools on a regular basis frequently without realizing it.

Moreover, there seems to be a wide-spread belief, buttressed on by por-trayals in the popular media, that advanced tools and skillful practi-tioners can extract actionable infor-mation from practically any device that a government, private agency, or even a skillful individual might encounter. As new technologies de-velop criminals find ways to apply these technologies to commit crimes. With the explosion of web technol-ogies almost all major businesses in the world have web presence thus exposing their data to legitimate and illegitimate users. Computers have become intrinsic part of our lives.

Businesses have streamlined their

operation saving millions of dollars because of the web technologies and services. Neither the businesses nor the consumers can live without these technologies. Because of the intricate involvement of comput-er technology in all aspects of our lives, it also has become legal evi-dence in both civil and criminal cas-es. Computer evidences admitted in courts could be any file or fragment recovered from the storage devic-es such as email, browsing history, graphics, photographs, or applica-tion documents. These files may be undeleted or deleted. Deleted file recovery would require special techniques. Computer professionals trained in digital forensics preserve and retrieve evidence in a non-de-structive manner. Evidence may be recovered from any storage medi-um installed in digital equipment such as computers, cameras, PDAs, or cell phones. All forensic work should be done with care including documenting clear chain of custody in order for the evidence to be ad-missive in a court of law.

IntroductionWith the proliferation of computers in our everyday lives, the need to in-clude computer contents or traces as part of formal evidence has become inevitable. Computerized devices

are part of our world in the form of laptops, desktop computers, servers, etc., but there are also many other storage devices that may contain forensic evidence. Devices such as memory cards, personal digital as-sistants, and video gaming systems, are among a myriad of devices that have the ability to accept input, pro-vide output, and also store data. It is this data or the usage of these devic-es that is at the center of computer forensics.

According to Marcella and Menen-dez, cyber forensics, e-discovery, digital, forensics, computer and computer forensics mean relatively the same thing yet none has emerged as a defacto standard (Marcella, Me-nendez 2008). They further present a working definition of computer forensics as the science of locating, extracting, and analyzing types of data from different devices, which specialists then interpret to server as legal evidence. They further state that computer forensics can also be defined as the discipline that com-bines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and stor-age devices in a way that is admis-sible as evidence in a court of law (Marcella, Menendez 2008).

Computer forensics aims to attain as much information from electronic devices or media by utilizing sound forensic techniques that may be ad-missible in court. This includes con-cise and sound forensic techniques including a clear chain of custody and documentation. There are two different areas that must be consid-ered when collecting digital forensic evidence. The first is the process of collecting the evidence without al-tering its contents and ensuring it is admissible in court.

The second area is the actual use of

3

Study anywhere anytime

law enforcement grade sound foren-sic practices that results in the col-lection being admissible in court. It is not the intent of this document to address the latter. As the authors are computer science professionals, it is the intent of this document to pro-vide a concise overview of the pro-cess of collecting forensic evidence and review different methods, tools, and challenges during forensic anal-ysis and collection.

What Does It Take to Be a Digital Forensic Investigator?Digital forensic investigators need skills and interests in a variety of areas. The first question I ask some-one who is considering this field is if they like puzzles. When investigat-ing a case, you may not know any details other than that something has happened. So if someone needs to be shown or told what has occurred, they may not be a good fit for this field. Sometimes, cases come to an investigator’s attention with instruc-tions to find out what the computer or device user was doing.

At times this may be an open re-quest, whereas other times it is with-in a specific time frame. However, many times the investigator needs to improvise an approach as there is not always a clear way to do things. This can be the result of new tech-nology in which a methodology has not been developed, due to cost is-sues, or simply because it is the first time the investigator has encoun-tered that situation. The point is that an investigator needs to be someone who can figure things out, not rely solely on others to do so.

Another important characteristic is the ability to handle frustration be-cause investigative tools and soft-ware do not always function without their challenges. This can be a fairly common occurrence when dealing with cell phones and small devices. I have had many students who stop their investigation in class at the first sign of difficulty rather than work-

ing through the challenges. They do not even try to find insight into their difficulty through the web or help system provided with the tool. Someone needs to be persistent and creative to be a successful investiga-tor. Another critical aspect of being a forensic investigator is the ability to keep your mouth closed. Case specifics usually require some level of confidentiality, and this must be maintained.

What Opportunities Are There for Digital Forensic Investigators?Some of the more common areas for digital forensics investigators would be in law enforcement, the federal government, corporations, and as a private investigator. Typical law en-forcement positions would be as a detective and/or in a crime lab, but some agencies deploy low-level fo-rensic tools more broadly through-out the organization. Corrections personnel may also use forensic techniques to ensure that parole conditions are being adhered to. Cell phone analysis is also a very signif-icant component of the law enforce-ment efforts.

Flash memory and solid state drives (SSD) are likely to replace hard drives in the near future because of their superior access speeds. Bell and Boddington (2010) found that SSD can confound current digital forensic techniques. Similarly, Wei et al. (2011) found that traditional hard drive sanitation techniques are ineffective on SSD. Computer tech-nology will continue to evolve, and these examples illustrate that a fo-rensic examiner must evolve as the paradigms within which they oper-ate evolve.

Common Forensic Analysis Tech-niquesWhen you conduct forensic analy-sis, there are a few steps that must be executed in nearly every type of investigation to prepare the data for analysis. For instance, it is usually

recommended to recover any delet-ed files and add them to the analy-sis. It is also advantageous to reduce the data set collected to the smallest number of files and add them to the analysis for efficient review. Anoth-er step that should be incorporated into the analysis is string searching to identify relevant files and frag-ments of relevant files. Recovering deleted files is of crucial importance.

Particularly in cases where the target computer in question has been uti-lized by a savvy computer user or a suspect who may have wanted to de-lete traces of their digital footprints. In order to avoid doing work twice, recovering deleted files should be done first.

ConclusionMuch as the Information Revolution itself is driven not by any one event or person, but constantly redefines and reinvents itself by nature of the very tools it has provided, so com-puter forensics will continue to be dynamic. The Information Security is a process and not a product, and this is also true of Computer Foren-sics.

What is certain is that appropriate training offered by The Chartered Institute of Professional Financial Managers (CIPFM) in partnership with International Institute of Cer-tified Forensic Investigation Pro-fessionals (IICFIP) in the field of Forensic science and investigations, coupled with access to the best tools and methodologies is paramount, as it is for any other area of Foren-sic Science. Education is neces-sary to become competent in any profession, and digital forensics is no exception. Education can take many forms including, profession-al institutes, university instruction, attendance at conferences, vendor classes, workshops, and self-study. Each of these should be evaluated to determine if it helps move someone toward their educational goal.

4

Study anywhere anytime

5

Study anywhere anytime

We congratulate one of our students Patson Ngirandi for tying the knot. Ngirandi’s wedding in pictures

CIPFM WISHES

YOU WELL

GOD BLESS YOUR

UNION

6

Study anywhere anytime

CONTACTS(+263) 4 487216 (+263) 774

270695info@cipfm.com

17 Amby DriveGreendale, Msasa

Harare

www.cipfm.com