Guide to Computer Forensics and Investigations, Second Edition

1
Guide to Computer Forensics and Investigations,
Second Edition

• Chapter 5
• Processing Crime and Incident Scenes

2
Objectives

• Collect evidence in private-sector incident
  scenes
• Process law enforcement crime scenes
• Prepare for a search

3
Objectives (continued)

• Secure a computer incident or crime scene
• Seize digital evidence at the scene
• Review a case using three different computer
  forensics tools

4
Collecting Evidence in Private-Sector Incident
Scenes

• Freedom of Information Act (FOIA)
• States public records are open and available for
  inspection
• Citizens can request public documents created by
  federal agencies
• Homeland Security Act
• Patriot Act

5
Collecting Evidence in Private-Sector Incident
Scenes (continued)

• Corporate environment is much easier than
  criminal environment
• Employees expectation of privacy
• Create and publish a privacy policy
• Use warning banners
• State when an investigation can be initiated
• Reasonable suspicion

6
Collecting Evidence in Private-Sector Incident
Scenes (continued)
7
Collecting Evidence in Private-Sector Incident
Scenes (continued)

• Avoid becoming a law enforcement agent
• Check with your corporate attorney on how to
  proceed
• Commingled data
• Warrants
• Subpoena
• Civil liability

8
Processing Law Enforcement Crime Scenes

• Criminal rules of search and seizure
• Probable cause
• Specific crime was committed
• Evidence exists
• Place to be searched includes evidence
• Warrant
• Probable cause
• Witness

9
Processing Law Enforcement Crime Scenes
(continued)
10
Understanding Concepts and Terms Used in Warrants

• Innocent information
• Unrelated information
• Limiting phrase
• Separate innocent information from evidence
• Plain view doctrine
• Searched area can be extended
• Knock and announce

11
Preparing for a Search

• Most important step in computing investigations
• Steps
• Identifying the nature of the case
• Identifying the type of computer system
• Determining whether you can seize a computer
• Obtaining a detailed description of the location

12
Preparing for a Search (continued)

• Steps (continued)
• Determining who is in charge
• Using additional technical expertise
• Determining the tools you need
• Preparing the investigation team

13
Identifying the Nature of the Case

• Private or public
• Dictates
• How you proceed
• Resources needed during the investigation

14
Identifying the Type of Computing System

• Identify
• Size of the disk drive
• Number of computers at the crime scene
• OSs
• Specific details about the hardware
• Easier to do in a controlled environment, such as
  a corporation

15
Determining Whether You Can Seize a Computer

• Ideal situation
• Seize computers and take them to your lab
• Not always possible
• Need a warrant
• Consider using portable resources

16
Obtaining a Detailed Description of the Location

• Get as much information as you can
• Identify potential hazards
• Interact with your HAZMAT team
• HAZMAT guidelines
• Protect your target disk before using it
• Check for high temperatures

17
Determining Who Is in Charge

• Corporate computing investigations require only
  one person to respond
• Law enforcement agencies
• Handle large-scale investigations
• Designate leader investigators

18
Using Additional Technical Expertise

• Look for specialists
• OSs
• RAID servers
• Databases
• Can be hard
• Educate specialists in proper investigative
  techniques
• Prevent evidence damage

19
Determining the Tools You Need

• Prepare your tools using incident and crime scene
  information
• Initial-response field kit
• Lightweight
• Easy to transport
• Extensive-response field kit
• Includes all tools you can afford

20
Determining the Tools You Need (continued)
21
Determining the Tools You Need (continued)
22
Preparing the Investigation Team

• Review facts, plans, and objectives
• Coordinate an action plan with your team
• Collect evidence
• Secure evidence
• Slow response can cause digital evidence lost

23
Securing a Computer Incident or Crime Scene

• Preserve the evidence
• Keep information confidential
• Define a secure perimeter
• Use yellow barrier tape
• Legal authority
• Professional curiosity
• Can destroy evidence

24
Seizing Digital Evidence at the Scene

• Law enforcement can seize evidence with a proper
  warrant
• Corporate investigators rarely can seize evidence
• U.S. DoJ standards for seizing digital data
• Civil investigations follow same rules
• Require less documentation, though
• Consult with your attorney for extra guidelines

25
Processing a Major Incident or Crime Scene

• Guidelines
• Keep a journal
• Secure the scene
• Be professional and courteous with onlookers
• Remove people who are not part of the
  investigation
• Video record the computer area
• Pay attention to details

26
Processing a Major Incident or Crime Scene
(continued)

• Guidelines (continued)
• Sketch the incident or crime scene
• Check computers as soon as possible
• Save data from current applications as safe as
  possible
• Make notes of everything you do when copying data
  from a live suspect computer
• Close applications and shutdown the computer

27
Processing a Major Incident or Crime Scene
(continued)

• Guidelines (continued)
• Look for information related to the investigation
• Passwords, passphrases, PINs, bank accounts
• Collect documentation and media related to the
  investigation
• Hardware, software, backup media

28
Processing Data Centers with an Array of RAIDs

• Sparse evidence file recovery
• Extracts only data related to evidence for your
  case from allocated files
• Minimizes how much data you need to analyze
• Doesnt recover residual data in free or slack
  space
• If you have a computer forensics tool that
  accesses the unallocated space on a RAID system,
  work it on a test system first to make sure it
  doesnt corrupt the RAID computer

29
Using a Technical Advisor at an Incident or Crime
Scene

• Technical specialists
• Responsibilities
• Know aspects of the seized system
• Is direct investigator handling sensitive
  material
• Help securing the scene
• Help document the planning strategy
• Conduct ad hoc trainings
• Document activities

30
Sample Civil Investigation

• Recover specific evidence
• Suspects Outlook e-mail folder (PST file)
• Covert surveillance
• Company policy
• Risk of civil or criminal liability
• Sniffing tools
• For data transmissions

31
Sample Criminal Investigation

• Computer crimes examples
• Fraud
• Check fraud
• Homicides
• Need a warrant to start seizing evidence
• Limit searching area

32
Sample Criminal Investigation (continued)
33
Reviewing a Case

• Tasks for planning your investigation
• Identify the case requirements
• Plan your investigation
• Conduct the investigation
• Complete the case report
• Critique the case

34
Identifying the Case Requirements

• Identify requirements, such as
• Nature of the case
• Suspects name
• Suspects activity
• Suspects hardware and software specifications

35
Planning Your Investigation

• List what you can assume or know
• Several incidents may or may not be related
• Suspects computer can contain information about
  the case
• Whether someone else has used suspects computer
• Make an image of suspects computer disk drive
• Analyze forensics copy

36
DriveSpy

• Functions
• Create an image
• Verify validity of image
• Analyze image

37
DriveSpy (continued)
38
DriveSpy (continued)
39
Access Data Forensic Toolkit (FTK)

• Functions
• Extract the image from an bit-stream image file
• Analyze the image

40
Access Data Forensic Toolkit (FTK) (continued)
41
Access Data Forensic Toolkit (FTK) (continued)
42
X-Ways Forensics

• Functions
• Extract forensic image
• Analyze image

43
X-Ways Forensics (continued)
44
X-Ways Forensics (continued)
45
X-Ways Forensics (continued)
46
Summary

• Private sector
• Contained and controlled area
• Publish right to inspect computer assets policy
• Private and public sectors follow same computing
  investigation rules
• Avoid becoming an agent of law enforcement
• Criminal cases require warrants

47
Summary (continued)

• Protect your safety and health as well as the
  integrity of the evidence from hazardous
  materials
• Follow guidelines when processing an incident or
  crime scene
• Securing perimeter
• Video recording

48
Summary (continued)

• Become familiar with forensics tools
• DriveSpy and Image
• FTK
• X-Ways Forensics