Understanding Computer Investigations

1
Understanding Computer Investigations

• Chapter 2

2
Learning Objectives

• Prepare a Case
• Begin an Investigation
• Understand Data-Recovery Workstations and
  Software
• Execute an Investigation
• Complete a Case
• Critique a Case

3
Preparing a Computer Investigation
Chain of Custody The route that evidence takes
from the time you find it until the case is
closed or goes to court.
4
Preparing a Computer Investigation
Password Protected Files and areas of any
storage media that can have limited access by
using a password to prevent unintentional use.
5
Preparing a Computer Investigation
Password-Cracking Software Used to match the
hash patterns of passwords or simply guess the
words by using common combinations or by
employing standard algorithms.
6
Preparing a Computer Investigation

• Examining a Company-Policy Violation
• Internet surfing, Personal e-mail, Personal
  business
• Complaint filed
• Activities monitored

7
Taking a Systematic Approach

• Make an initial assessment about the type of case
  you are investigating.
• Determine a preliminary design or approach to the
  case.
• Create a detailed design.
• Determine the resources you need.
• Obtain and copy an evidence disk drive.

8
Taking a Systematic Approach

• Identify the risks.
• Mitigate or minimize the risks.
• Test the design.
• Analyze and recover the digital evidence.
• Investigate the data you recover.
• Complete the case report.
• Critique the case.

9
Taking a Systematic Approach

• Assessing the case includes
• Situation
• Nature of case
• Specifics about the case
• Type of evidence
• Operating system
• Known disk format
• Location of evidence

10
Taking a Systematic Approach

• Planning Your Investigation
• Acquire the floppy disk.
• Complete an evidence form and establish a chain
  of custody.
• Transport the evidence to your computing-forensics
  lab.
• Secure your evidence in an approved secure
  container
• Prepare your computer forensics workstation

11
Taking a Systematic Approach

• Planning Your Investigation
• Obtain the evidence from the secure evidence
  container.
• Make a forensic copy of the evidence floppy disk.
• Return the evidence floppy disk to the secure
  container.
• Process the copied floppy disk with your computer
  forensics tools.

12
Taking a Systematic Approach

• Evidence Custody Form Helps document what has
  or has not been done with both the original
  evidence and the forensic copy of the evidence.

13
Taking a Systematic Approach
Single-Evidence Form A form that dedicates a
page for each item retrieved for a case. It
allows the investigator to add more detail as to
exactly what was done to the evidence each time
it was taken from the storage locker.
14
Taking a Systematic Approach
Multi-Evidence Form A chain-of-evidence form
that is used with all aspects of a case and lists
all items associated with that case.
15
Taking a Systematic Approach
16
Taking a Systematic Approach

• A chain-of-evidence form typically contains
• Case number
• Investigating organization
• Investigator
• Nature of case
• Location where evidence was obtained
• Description of evidence
• Vendor name

17
Taking a Systematic Approach

• A chain-of-evidence form typically contains
• Model number or serial number
• Evidence recovered by
• Date and time
• Evidence placed in locker
• Evidence processed by item number
• Item /Evidence processed by/Disposition/Date/Time
  
• Page

18
Taking a Systematic Approach
19
Taking a Systematic Approach
Evidence Bags A non-static bag used to
transport floppy disks, hard disks, and other
computer components.
20
Taking a Systematic Approach
21
Taking a Systematic Approach
22
Understanding Data-Recovery Workstations and
Software
Data-Recovery Lab An alternate name for a
computer-forensics lab. Computer-Forensics Lab
A computer lab that is dedicated to computing
investigations, and typically has a variety of
computers, operating systems (OSs), and forensic
software.
23
Understanding Data-Recovery Workstations and
Software
Computer-Forensic Workstation A workstation set
up to allow copying of forensic evidence whether
on a hard drive, floppy, CD, or Zip disk. It
typically has various software preloaded and
ready to use.
24
Understanding Data-Recovery Workstations and
Software

• Computer forensics work can be completed on the
  following platforms
• MS-DOS 6.22
• Windows 95,98, or Me
• Windows NT 3.5 or 4.0
• Windows 2000
• Windows XP

25
Understanding Data-Recovery Workstations and
Software
Setting Up Your Workstation for Computer
Forensics 1. Start Windows, Select Start then
Run.
26
Understanding Data-Recovery Workstations and
Software
2. In the Open text box, type msconfig, Click OK.
27
Understanding Data-Recovery Workstations and
Software
3. Click the Advanced button.
28
Understanding Data-Recovery Workstations and
Software

• Click the Enable Startup Menu check Box.
• Click OK to close the Advanced Troubleshooting
  Settings.
• Click OK to close the System Configuration
  Utility.

29
Understanding Data-Recovery Workstations and
Software
Add a command to your MSDOS.SYS file.
30
Executing an Investigation

• Gather the following resources
• Original floppy disk
• Evidence form
• Evidence container/evidence bag
• Bit-stream imaging tool
• Computing forensic workstation
• Secure evidence container

31
Executing an Investigation
Understanding Bit-Stream Copies Bit-Stream Copy
Bit-by-bit copy of the original storage medium.
An exact duplicate of the original disk.
Bit-Stream Image File that contains an exact
copy of all the data on a disk or disk partition.
32
Executing an Investigation
Understanding Bit-Stream Copies
33
Executing an Investigation

• Utilities for Creating Bit-Stream Copies and
  Images
• MS-DOS, Diskcopy
• Digital Intelligence, DriveSpy
• Guidance Software, EnCase

34
Completing the Case

• Create a case report
• Keep a written journal
• Use company templates if available

35
Critiquing the Case

• How could you improve your participation in the
  case?
• Did you expect the results you found? Did the
  case develop in ways you did not expect?
• Was the documentation as thorough as it could
  have been?
• What feedback has been received from the
  requesting source?
• Did you discover any new problems?
• Did you use new techniques during the case or
  during your research?

36
Chapter Summary

• Always use a systematic approach to your
  investigations. Determine the type of problem you
  are dealing with, create a preliminary plan,
  choose your resources, perform a risk analysis,
  and then implement the plan.
• When planning a case, take into account the
  nature of the case, the instructions from the
  requestor, what additional tools and/or expertise
  you may need, and how you will acquire the
  evidence.

37
Chapter Summary

• Always use a systematic approach to your
  investigations. Determine the type of problem you
  are dealing with, create a preliminary plan,
  choose your resources, perform a risk analysis,
  and then implement the plan.
• When planning a case, take into account the
  nature of the case, the instructions from the
  requestor, what additional tools and/or expertise
  you may need, and how you will acquire the
  evidence.

38
Chapter Summary

• Criminal cases and corporate-policy violations
  should be handled in much the same manner to
  ensure quality evidence is presented. Criminal
  cases can go to court and company-policy
  violations can end there.
• When you begin a case, apply standard
  problem-solving techniques such as defining the
  problem, designating a solution, and carrying out
  that solution.
• You should create a standard evidence custody
  form to track the chain of custody of the
  evidence relating to your case. There are two
  types of formsa multi-evidence form and a
  single-evidence form.

39
Chapter Summary

• Always maintain a journal to make notes on
  exactly what you did when handling evidence.
• An image file is a bit-by-bit duplicate of the
  original disk. You should use the duplicate
  whenever possible.
• DriveSpy and Image are common command-line
  forensics tools that can retrieve existing files,
  delete files, and file fragments.
• You can create bit-stream copies of files using
  either the Diskcopy DOS utility or the Image
  tool.